This rule detects the execution of PowerShell scripts that are initiated via an input stream redirect, a common technique used to execute potentially malicious scripts while bypassing traditional detection mechanisms. The detection mechanism relies on monitoring process creation events and specifically looks for instances where the command line of either 'powershell.exe' or 'pwsh.exe' ends with the pattern indicating input redirection. This method is often employed by attackers to evade defenses by masking script invocation in less obvious ways. The rule is particularly tuned to highlight scenarios where the command line parameters reflect the use of the redirection operator '<', which signifies that the script being executed is being fed from a prior command or file, potentially indicating suspicious behavior. Given the pervasive use of PowerShell in administrative tasks, false positives may arise from legitimate scripts that utilize input redirection for benign purposes, such as system maintenance or automation tasks. As such, a thorough investigation into identified events will be critical to discerning between malicious and non-malicious activity.