This detection rule is designed to identify instances where PowerShell is utilized to modify registry values within the Windows environment, specifically targeting the Current User (HKCU) and Local Machine (HKLM) registry hives. Adversaries often manipulate registry settings to maintain persistence, execute hidden commands, or clean up traces of their activity. This rule utilizes a combination of Windows Event Logs (Event Code 4688) and PowerShell commands (specifically 'Invoke-Expression' and 'IEX') to track malicious behavior. By monitoring these events, the rule aims to detect potential defense evasion tactics employed by threat actors. The unique interrogation of process creation events ensures that any unauthorized alterations to the Windows Registry can be flagged for further investigation, thus fortifying the security posture against modern cyber threats.