This detection rule targets the suspicious command lines associated with the execution of Covenant PowerShell launchers, a common tool used in penetration testing and potentially malicious activities. The focus is on detecting command line arguments that are typically utilized for evasion techniques, including those that initiate hidden PowerShell sessions and the execution of encoded commands. The rule includes two main selections: the first detects common flags that are used in PowerShell scripts such as `-Sta`, `-Nop`, and `-Window Hidden`, as well as the presence of `-Command` and `-EncodedCommand`, which may indicate malicious intent. The second selection extends the detection to specific patterns related to the invocation of PowerShell, including usage of `sv o (New-Object IO.MemoryStream)` and commands related to remote HTTP requests, like `mshta file.hta`. The condition for an alert triggers if any of these command line patterns are matched. This alerts defenders to the possibility of evasion tactics employed in conjunction with the Covenant framework, allowing them to take action against potential intrusions.