This detection rule aims to identify potentially malicious PowerShell commands being executed via a Dynamic Link Library (DLL). Normally, PowerShell operates under its own process, but certain threats like PowerShdll can allow PowerShell commands to be invoked from other executables, notably DLLs. This detection focuses on new behavior where PowerShell-invoking commands are sent through command line arguments and captures processes that are specifically known for this type of execution. The rule activates when specific executable names related to DLL hosting are detected alongside certain PowerShell command characteristics in their command-line arguments. High-tier threats can evade standard monitoring solutions by leveraging legitimate system binaries in an unconventional manner, which this rule aims to detect.