This detection rule identifies the use of PowerShell scripts that contain functions and structures associated with token impersonation or theft. Attackers often exploit these capabilities to duplicate and impersonate other users' tokens, allowing them to escalate privileges and bypass security measures. The rule is designed to scan for specific PowerShell commands known for this type of manipulation, such as `Invoke-TokenManipulation`, `AdjustTokenPrivileges`, and various related Windows API functions. It ensures a proactive defense by monitoring for these malicious PowerShell activities in user environments. In addition to targeting specific PowerShell script patterns, the detection incorporates investigations into the execution context and potential impacts on system integrity, advising analysts to review the script's content and the host’s behavior surrounding the detection. Furthermore, an extensive triage process and response strategy is defined to guide the analyst on how to react to incidents triggered by this rule, detailing steps for isolating affected systems, analyzing user account activities, and considering broader remediation measures.