This rule identifies suspicious PowerShell script executions that utilize the cryptography namespace, specifically monitoring `EventCode 4104` which corresponds to PowerShell Script Block Logging. By focusing on scripts that invoke cryptographic functions while explicitly excluding common hashing functions like SHA or MD5, this detection aims to highlight activities often associated with malicious behavior. Such activity may involve malware that decrypts or decodes further payloads, thereby allowing attackers to execute additional code, escalate privileges, or maintain persistence in a targeted environment. Analysts should consider investigating related processes, any decrypted data, network connections employed during the incidents, and the identity of the user executing the script to further assess the threat's context.