This detection rule identifies suspicious PowerShell invocations by analyzing command parameters typically associated with covert or malicious activities. It focuses on script block logging where specific patterns and keywords in the command text can indicate a potential security threat. This includes commands that utilize base64 encoding, bypass security measures, invoke hidden windows, or manipulate registry values, all of which are common practices in malicious exploits. The detection logic comprises several selections which target particular command characteristics, ensuring effective identification of potentially harmful PowerShell scripts while using filters to reduce false positives associated with common administrative tasks. The rule is effective in environments where the PowerShell script block logging feature is enabled, capturing suspicious behavior in real time, which aids in proactive threat hunting and incident response.