This analytic rule detects the enabling of the SMB1 protocol using PowerShell by monitoring script block logging events (EventCode 4104). The detection specifically looks for the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This action raises security concerns since SMB1 is an outdated protocol vulnerable to exploitation, typically used to facilitate lateral movement within networks and increasing the risk of ransomware attacks, such as those executed by RedDot. By allowing SMB1, attackers can potentially traverse the network, encrypt files, and disrupt business operations. This rule assists in identifying such activities early to mitigate risks. The implementation requires having the appropriate PowerShell logging enabled, as well as awareness that some legitimate network operations may enable or disable SMB features, leading to potential false positives.