This detection rule identifies the creation of malicious PowerShell scripts known to be employed for various exploits and attacks. The rule is focused on detecting specific file names that are commonly associated with offensive PowerShell scripts, such as those for exfiltration, persistence, and other malicious activities. It uses file event logs from a Windows environment and looks for any instances where a file creation event occurs and the file name matches one of the targeted known malicious script names or contains 'Invoke-Sharp' with a '.ps1' extension. This helps detect potentially harmful actions being undertaken on a system before they can cause significant damage. Given the prevalence of PowerShell in various forms of exploitation, the rule is classified as high priority due to the severe risks associated with such scripts.