This detection rule is designed to identify potentially malicious executions of the AgentExecutor.exe binary, which is often utilized as a Living Off The Land Binary (LOLBIN) for executing PowerShell scripts while bypassing the defined PowerShell execution policies. The rule focuses on the context in which AgentExecutor.exe runs, specifically looking for command-line arguments that suggest it is being used to initiate PowerShell processes. The condition for triggering the alert requires that the execution comes from the AgentExecutor.exe binary, while ensuring that it is not invoked as part of known legitimate processes from Microsoft Intune. This helps in minimizing false positives while ensuring that real threats using this binary are flagged promptly.