This detection rule identifies instances where PowerShell scripts are utilizing Alternate Data Streams (ADS) to store files, a technique commonly used by malware such as Astaroth. The rule operates by monitoring PowerShell script block logging for specific commands that suggest file operations directed to ADS. It specifically looks for uses of the `Start-Process` cmdlet along with parameters that indicate a file redirection into an Alternate Data Stream. As ADS can be a method to hide data or malware from typical file system scrutiny, detecting such activity is crucial for maintaining endpoint security.