This detection rule identifies the usage of Gpg4win, specifically the GnuPG tool, to decrypt files on Windows systems. The detection mechanism focuses on process creation events where Gpg4win executables (gpg.exe or gpg2.exe) are invoked with command-line parameters indicating decryption operations, such as the presence of '-d' (for decrypt) and 'passphrase'. The rule aims to trigger alerts when files are executed that match these criteria, enabling security teams to monitor potentially malicious file decryption activities that might indicate unauthorized access or usage of sensitive data. Gpg4win is a legitimate software suite for email and file encryption, but it can be misused by attackers to hide malicious activities within a legitimate process, making this detection crucial for identifying suspicious behavior. The author of this rule, Nasreddine Bencherchali from Nextron Systems, has documented this approach to enhance threat detection capabilities within Windows environments.