This detection rule identifies the usage of the Evil-WinRM PowerShell module, which is commonly utilized by attackers for lateral movement within Windows environments. By analyzing PowerShell logs, the rule extracts potential indicators of compromise based on hardcoded strings commonly found in the tool. The rule comprises multiple selection criteria to pinpoint the presence of 'wsmprovhost.exe' and various malicious payloads associated with Evil-WinRM execution attempts. The detection logic is set to trigger when the specified conditions in the PowerShell module logs are met, emphasizing the need for monitoring execution patterns that deviate from normal operations. Given its high-risk level, organizations are advised to maintain vigilance against such lateral movement tactics that exploit PowerShell for unauthorized access to systems. The rule is particularly effective against environments where PowerShell is leveraged for administrative tasks, making it crucial for security teams to implement this detection promptly.