This detection rule identifies the use of PowerShell's `Start-Process` command with the `-PassThru` option, which allows a user to start a process in the background and returns a process object. This command can be leveraged by attackers to evade detection by running malicious processes without drawing immediate attention. The rule specifically looks for script block logging that contains both `Start-Process` and variations of the `-PassThru` and `-FilePath` parameters. As the use of the `-PassThru` option can often be justified in legitimate administrative tasks, the rule is tuned to minimize false positives by monitoring the context in which it occurs. This gives security analysts insight into potentially suspicious activities that could indicate a defensive evasion tactic characteristic of certain malware or attacker methodologies.