This detection rule identifies non-interactive PowerShell processes spawned in Windows environments. It does this by monitoring instances of the 'powershell' process or its variant 'pwsh' when they are initiated from non-user interactive GUIs, specifically by processes like 'explorer.exe', 'CompatTelRunner.exe', or 'SetupHost.exe'. The rule features comprehensive selection criteria that include checking for specific parent-child process relationships while filtering out regular administrative use cases, especially those used in scripting. As such, it aims at detecting potentially suspicious or malicious activity while minimizing false positives that may arise from legitimate administrative PowerShell usage. Additionally, it highlights optional filters for other common development tools like Visual Studio Code and Windows Terminal that could also initiate PowerShell. The rule is valuable for organizations seeking to enhance their security posture against techniques outlined in the MITRE ATT&CK framework, specifically T1059.001, which details the execution of scripts via PowerShell. This rule is critical for identifying and investigating abnormal PowerShell executions that could indicate broader compromise, especially in scenarios where PowerShell is misused for post-exploitation activities or lateral movement.