This detection rule aims to identify suspicious usage of the PowerShell cmdlet Invoke-Sqlcmd, which may be exploited for unauthorized database operations or data exfiltration. The rule analyzes PowerShell script block logs for specific parameter combinations and query patterns that could indicate malicious intent. Indicators of concern include the use of certain authentication methods, suspicious queries that interact with sensitive database structures, and data exfiltration mechanisms. Additionally, the rule assigns a risk score based on detected suspicious activities, such as administrative connections, remote file inputs, and high-risk query executions. The final outputs include a risk message and a list of detected anomalies.