This detection rule identifies potential process injections via PowerShell in Windows environments. It focuses on specific Windows API functions that are often exploited by malware and security tools to load malicious code or inject it into other processes. The rule leverages data from Winlogbeat and PowerShell logs to analyze script block execution that includes functions like VirtualAlloc, LoadLibrary, and WriteProcessMemory. Furthermore, it provides detailed investigation steps, false positive analysis, and recommended hypotheses for each alert trigger. It emphasizes the importance of monitoring PowerShell usage, implementing logging policies, and isolating compromised systems. Additionally, it highlights the need for a robust incident response to mitigate threats effectively. In particular, PowerShell is a valuable utility that, when abused, can allow attackers to execute stealthy payloads entirely in-memory, thus evading traditional file-based detection methods.