This detection rule targets the usage of the "SyncInvoke" method from the PowerShell script "CL_Invocation.ps1". This method can be leveraged to proxy process executions, a technique often associated with evasion strategies in attack scenarios. The rule looks for command line invocations that contain the term "SyncInvoke ", suggesting that a script is attempting to utilize this method, thus potentially indicating malicious activity. The detection occurs within the context of process creation on Windows systems, aiming to identify adversarial tactics that aim to obfuscate process executions through scripting techniques. The identified references provide additional context on the exploitation of this function, along with the implications of its usage in a security context. The rule is categorized with a medium severity level due to its potential association with evasion tactics recorded under techniques T1216 as defined in the MITRE ATT&CK framework, further highlighting its relevance in monitoring for defense evasion techniques.