This detection rule aims to identify potentially malicious cryptomining commands executed on systems that have been compromised by adversaries. Cryptomining refers to the practice of using computing resources to validate cryptocurrency transactions and can significantly impact the performance and availability of affected systems and services. The rule employs both plaintext and base64 encoded patterns commonly associated with cryptomining activities, including specific command-line options that characterize cryptomining operations. The logic is executed in Splunk using data from PowerShell logs, focusing on Event Code 4104, which indicates PowerShell script block logging. The detection logic also incorporates a regex to filter out legitimate use cases that may not correlate with cryptomining, specifically processes connecting to standard cryptocurrency pools. Through regular surveillance, this rule helps in the early identification of resource hijacking attempts and enables proactive incident response measures.