This detection rule identifies the unauthorized or suspicious writing of data into NTFS Alternate Data Streams (ADS) using PowerShell, specifically through commands like `set-content` and `add-content`. The rule requires Script Block Logging to be enabled, which allows for capturing and analyzing the PowerShell scripts executed on a Windows system. By monitoring the contents of script blocks for keywords related to interacting with ADS, it can effectively highlight potential misuse that falls under attack techniques classified as defense evasion and execution. The detection logic consists of two selection criteria: one for content manipulation commands and the other for specifying stream interactions, both of which must match for a condition of detection to trigger. It's essential for organizations to monitor these actions, as they might be indicative of a malicious attempt to hide data or obtain persistence via the hidden capabilities of alternate data streams in NTFS.