This detection rule focuses on identifying the use of alternate PowerShell hosts that may bypass traditional monitoring mechanisms, specifically those looking for the standard `powershell.exe` process. The rule captures execution context via the `ContextInfo` field, looking for any entries that may indicate PowerShell's invocation except for the ones that match specified filters for PowerShell, sdiagnhost.exe, ConfigSyncRun.exe, dsac.exe, and wsmprovhost.exe. The aim is to catch potentially malicious use of PowerShell that could be misusing other hosts or contexts that are not typically associated with direct PowerShell execution, thereby evading detection. This is an important measure in a security environment to monitor for suspicious behaviors that may indicate attempted bypassing of security measures. The detection level is set to medium, accounting for the risk of false positives from common legitimate applications and scripts that might invoke PowerShell directly without a dedicated interpreter. The rule's author noted potential false positives, suggesting that security teams remain vigilant in differentiating between legitimate and malicious activities.