This detection rule identifies the execution of PowerShell scripts that originate from Alternate Data Streams (ADS) on Windows systems. The rule is structured to trigger when a process with 'powershell.exe' or 'pwsh.exe' is initiated, specifically looking at the creation of processes where the command line includes 'Get-Content' with the '-Stream' parameter. This type of activity is commonly associated with malicious exploitation techniques that use ADS to conceal their actions from standard file system monitoring. By monitoring the process creation with these characteristics, the rule helps detect and prevent potential threats involving hidden or obfuscated scripts that might be executed by attackers to carry out further malicious activities.