This detection rule focuses on identifying potential misuse of the PowerShell CreateDecryptor method by threat actors for malicious purposes such as dynamically decrypting embedded payloads, configuration files, or sensitive data. The CreateDecryptor method, part of .NET's cryptographic operations, can be used in legitimate contexts, but its invocation in PowerShell scripts, especially where normal behavior is absent, could indicate activities associated with malware unpacking, fileless attacks, or staging for ransomware execution. This rule targets any references to CreateDecryptor within PowerShell activity, assisting in the detection of obfuscated payload executions or preparations for in-memory attacks. The rule leverages Splunk queries to sift through PowerShell logs and filter for events that involve the CreateDecryptor method, gathering related process information and outputs for analysis.