This detection rule identifies instances of Windows PowerShell processes that manually decode Base64 strings, a technique often employed by threat actors to obfuscate malicious commands and evade detection. Traditional detection methods targeting common decoding functions like `-enc` and `FromBase64String` may fail, as attackers may implement their own Base64 decoding logic in PowerShell scripts. The rule leverages telemetry from Endpoint Detection and Response (EDR) sources to monitor for process execution patterns that exhibit specific string manipulation methods and bitwise operations indicative of manual decoding practices. Security teams are advised to analyze findings in context, especially if simultaneous suspicious activities are reported on systems where PowerShell execution is not standard.