The detection rule identifies the usage of the PowerShell cmdlet 'Add-WindowsCapability', which is employed to add specific capabilities such as 'OpenSSH' to Windows systems. This capability can enhance the system but might also be exploited by attackers to introduce malicious components. The rule monitors command line executions to catch any instances where this cmdlet is invoked, especially when it aims to add capabilities that could compromise security. Legitimate uses by administrators are expected; therefore, the rule includes false positive controls to differentiate between normal administrative tasks and potential misuse. It captures the command line containing 'Add-WindowsCapability' along with targeted parameters to effectively detect unauthorized changes.