This detection rule identifies the execution of PowerShell scripts via the 'Runscripthelper.exe' binary on Windows systems. The rule is particularly useful in contexts where PowerShell is often exploited for executing malicious scripts as part of sophisticated attacks. By monitoring for instances where 'Runscripthelper.exe' is launched with the command line containing 'surfacecheck', security professionals can flag potentially malicious activity. The rule leverages the detection of process creation events to effectively monitor the usage of this specific binary, which can be leveraged by attackers to execute unauthorized scripts while evading defenses. The rule is categorized under medium severity, indicating a notable risk that should be further investigated. Although there might be false positives, particularly in a varied environment, the use of this binary in conjunction with the specified command line parameters can suggest malicious intent. This detection is critical for organizations employing strict security postures against threats that utilize PowerShell as an attack vector.