This rule identifies the use of the PowerShell 'WindowStyle' option set to 'Hidden'. Adversaries often exploit hidden windows to avoid detection while executing malicious scripts. To achieve this, they may craft scripts that utilize the 'WindowStyle' parameter, concealing the execution from users. The detection logic focuses on identifying PowerShell commands that implement this feature specifically while excluding certain benign scripts associated with known applications. A requirement for enabling detection is that Script Block Logging is active, which records all PowerShell script executions, thus aiding in visibility over potentially malicious activities. The presence of specific keywords such as 'powershell', 'WindowStyle', and 'Hidden' within the ScriptBlockText points towards potential abuse, triggering alerts if these patterns are discovered without the established exclusions. This rule plays a critical role in monitoring security by identifying potential penetration vectors used by attackers.