diff --git a/rules/windows/defense_evasion_posh_obfuscation.toml b/rules/windows/defense_evasion_posh_obfuscation.toml
new file mode 100644
index 000000000..3710498c6
--- /dev/null
+++ b/rules/windows/defense_evasion_posh_obfuscation.toml
@@ -0,0 +1,104 @@
+[metadata]
+creation_date = "2024/07/03"
+integration = ["windows"]
+maturity = "production"
+updated_date = "2024/07/03"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation
+techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-windows.powershell*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential PowerShell Obfuscated Script"
+references = ["https://github.com/danielbohannon/Invoke-Obfuscation"]
+risk_score = 47
+rule_id = "8025db49-c57c-4fc0-bd86-7ccd6d10a35a"
+setup = """## Setup
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.category:process and host.os.type:windows and
+  powershell.file.script_block_text : (
+    "[string]::join" or
+    "-Join" or
+    "[convert]::toint16" or
+    "[char][int]$_" or
+    ("ConvertTo-SecureString" and "PtrToStringAuto") or
+    ".GetNetworkCredential().password" or
+    "-BXor" or
+    ("replace" and "char") or
+    "[array]::reverse"
+  ) and
+  powershell.file.script_block_text : (
+    ("$pSHoMe[" and "+$pSHoMe[") or
+    ("$ShellId[" and "+$ShellId[") or
+    ("$env:ComSpec[4" and "25]-Join") or
+    (("Set-Variable" or "SV" or "Set-Item") and "OFS") or
+    ("*MDR*" and "Name[3,11,2]") or
+    ("$VerbosePreference" and "[1,3]+'X'-Join''") or
+    ("rahc" or "ekovin" or "gnirts" or "ecnereferpesobrev" or "ecalper" or "cepsmoc" or "dillehs")
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+