Detects CrowdStrike Real Time Response (RTR) script execution on Windows endpoints by identifying a PowerShell process (powershell.exe) running an encoded command via RTR. The detection correlates a PowerShell invocation (-Version 5.1 -s -NoLogo -NoProfile -EncodedCommand) with a dllhost.exe parent and the CrowdStrike RTR Process GUID {BD07DDB9-1C61-4DCE-9202-A2BA1757CDB2}, indicating a runscript operation. The query aggregates from Endpoint.Processes via the CIM data model, based on data from Sysmon EventID 1 and CrowdStrike ProcessRollup2, requiring complete command-line and process metadata. When matched, it surfaces process information (process_name, path, hash, user, dest, etc.) for investigation and emits a risk object for the destination (score 20) and a threat object for the RTR parent process. MITRE ATT&CK mapping: T1059.001 (PowerShell). Known false positives include legitimate RTR administration; mitigate by restricting RTR usage to approved users/scripts and adding contextual filters. Drilldown queries enable viewing per-user/destination results and related risk events.