This detection rule identifies the use of PowerShell Cmdlets and methods associated with file encryption and decryption, which may indicate malicious activities such as ransomware operations or payload obfuscation. The rule targets processes running on Windows and focuses specifically on PowerShell scripts that utilize cryptographic classes such as `Cryptography.AESManaged`, `Cryptography.RijndaelManaged`, and others, alongside functions related to creating encryptors and decryptors. It examines relevant PowerShell script blocks while filtering out certain known legitimate uses of encryption, thus reducing false positives. Key investigation steps involve analyzing script content for suspicious behavior, examining process execution chains, and responding appropriately based on the context of the alert. Furthermore, the rule leverages MITRE ATT&CK techniques that encapsulate methods of defense evasion through obfuscation and decryption strategies, underscoring its relevance in threat detection within enterprise environments.