This detection rule focuses on identifying the suspicious use of the X509Enrollment class within PowerShell scripts, specifically those that may indicate attempts to manipulate digital certificates for malicious purposes. The rule is primarily concerned with detecting script blocks that utilize the `X509Enrollment.CBinaryConverter` method or the specified GUID related to certificate operations, as both are commonly leveraged in evasion techniques by threat actors. To activate this rule, Script Block Logging must be enabled on Windows systems, as it captures the necessary script content. Potential false positives may arise from legitimate administrative scripts that also employ certificate operations.