The rule detects potential PowerShell scripts that facilitate pass-the-hash (PtH) and man-in-the-middle (MitM) attacks by analyzing PowerShell script block logs for suspicious patterns indicative of credential interception and NTLM challenge relay. The detection is designed for Windows environments, specifically targeting unusual NTLM authentication activities and hex sequences associated with these attacks. The rule is triggered by events containing specific keywords and hex values that suggest the execution of potentially malicious PowerShell scripts. It requires enabling PowerShell Script Block Logging to gather the necessary data for effective monitoring and alerting.