This detection rule identifies suspicious PowerShell script executions originating from the AppData directory, which may indicate malicious activity. The rule focuses on command line executions that contain PowerShell invocations while specifically searching for references to the AppData folder, particularly in both Local and Roaming subdirectories. The conditions for triggering the alert include matching PowerShell executable names along with the identification of command lines that explicitly include paths leading to AppData. As such, this detection aims to mitigate potential threats associated with unauthorized scripts run from user profile directories, a common tactic employed by attackers to obfuscate malicious behavior.