This detection rule focuses on identifying the use of PowerShell commands executed in a hidden window, an evasion tactic commonly used by threat actors to avoid detection during the execution of malicious scripts or commands. By utilizing the `-WindowStyle hidden` parameter in PowerShell executions, attackers can run scripts in the background without drawing user attention. While legitimate system administrators may also use this feature for maintenance tasks, it becomes a significant red flag when detected in environments where such tasks are not expected. The detection is implemented using Splunk, leveraging endpoint activity data. Specifically, it matches against the command-line arguments used during PowerShell invocations where the window style is set to hidden, using regex for precision in defining the command structure. The rule is suggested against the backdrop of atomic test T1564.003, enabling security teams to validate and ensure its effectiveness in detecting this technique in their environments. Proper PowerShell logging and monitoring of process creation logs are crucial in effectively identifying such evasion attempts.