The rule identifies the execution of Python scripts that use the ROT cipher, a simple letter substitution encoding commonly employed by malicious actors to obfuscate their code. These encoded scripts may be embedded in legitimate Python packages, evading detection and potentially facilitating malicious activities. This detection leverages a sequence query to monitor processes on Windows and macOS operating systems, specifically looking for Python processes and files named with a pattern associated with ROT encoding (e.g., "rot_??.cpython-*.pyc*"). The aim is to flag any execution of such scripts that could be indicative of adversarial actions aimed at defense evasion. The rule operates on an EQL (Event Query Language) basis and requires access to logs from endpoint processes and file events. With a risk score of 47 and a medium severity rating, the detection rule is positioned to effectively identify activities that might circumvent standard defenses while providing investigation guidance to differentiate between legitimate and malicious use cases. Users are prompted to investigate the context of identified Python executions, including checking the source of ROT-encoded files and reviewing user activity to ascertain legitimacy. False positives are addressed through analysis of expected legitimate uses of ROT encoding, with tailored approaches suggested for filtering such cases. Response measures emphasize isolating affected systems and mitigating potential threats if ROT encoding is deemed malicious.