This rule detects suspicious PowerShell invocation command parameters on Windows systems, aiming to identify potential misuse of PowerShell for defense evasion and malicious activities. The detection is achieved by analyzing process creation events where the CommandLine includes certain key parameters typically associated with nefarious activities, such as bypassing restrictions, executing commands without a profile, and for invoking hidden windows. Multiple selections are defined to capture distinct patterns, including Base64 encoded scripts and Registry modifications. The logic ensures that only valid suspicious commands are flagged, while filtering out non-malicious commands such as legitimate calls to Chocolatey, a package manager. This rule is intended for environments utilizing Windows Operating Systems where PowerShell usage is prevalent, and specific attention is required against attack vectors that leverage PowerShell.