This detection rule identifies potentially malicious activity related to the base64 encoded reflective loading of .NET assemblies in PowerShell on Windows systems. The rule focuses on monitoring PowerShell command lines for specific base64 encoded patterns which are indicative of reflective assembly loading techniques often used by adversaries to evade detection and maintain stealth. These techniques are commonly employed during the execution of attacks aiming to load and run malicious code without raising alarms. The rule operates by analyzing the command lines used in process creation events, specifically looking for strings that follow a base64 encoding format. It is essential to monitor for these patterns as they can signal more extensive attacks involving the injection of malicious payloads into legitimate processes. The potential false positives are minimal as the command line patterns are specific to potentially malicious reflective loading operations.