This detection rule identifies instances where PowerShell is invoked from an executable that mismatches the expected version format. The specific method used for this detection is based on the version output of the PowerShell engine and the hosting executable. The rule looks for PowerShell executable calls where the engine version reported (typically 2, 4, or 5) does not align with the host version that is expected to be 3. This mismatch can be indicative of evasion tactics employed by attackers trying to manipulate or hide their activities within the PowerShell environment. The rule is particularly useful in detecting sophisticated threats that leverage PowerShell for execution while attempting to disguise their actions through a manipulation of version numbers.