The rule detects potential malicious activity associated with the Jlaive tool, specifically its usage for executing in-memory assemblies via PowerShell scripts. Jlaive is an evasion tool that allows threat actors to bypass traditional security measures. The detection logic focuses on process creation events initiated by specific parental processes that are commonly used in conjunction with Jlaive processes. It identifies instances where 'cmd.exe' or batch scripts are involved in launching PowerShell or pwsh with commands that indicate the execution of batch files. The rule employs conditions that check both the parent process and specific characteristics of the command lines used, ensuring that typical benign usage is filtered out while capturing malicious actions.