This detection rule identifies the creation of a PowerShell script named "PSScriptPolicyTest" when initiated by an uncommon process. It serves as a potential indicator of attempted defense evasion tactics that may be leveraged by malicious actors. The rule specifically looks for file events indicating that the target filename contains "__PSScriptPolicyTest_". The triggering processes are restricted to known Windows system executable paths, such as PowerShell and other system management tools. Only if the script's creation is NOT initiated by these predefined processes will a detection be invoked. This helps to minimize false positives from legitimate system operations while still providing coverage for potential abuse cases where malware or an attacker might use non-standard means to create this script. Thus, organizations can leverage this rule to monitor for suspicious PowerShell activity and any associated file creation events that fall outside expected norms.