diff --git a/rules/windows/powershell/powershell_script/posh_ps_righttoleft_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_righttoleft_obfuscation.yml
new file mode 100644
index 00000000000..3b5b194c79b
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_righttoleft_obfuscation.yml
@@ -0,0 +1,26 @@
+title: RightToLeft Obfuscation - PowerShell
+id: 42930804-9e43-46f3-99bb-f6fd7054c04c
+status: experimental
+description: Detects Obfuscated Powershell using RightToLeft method.
+references:
+    - https://bherunda.medium.com/deconstructing-powershell-obfuscation-in-the-wild-6645f7c9fe37
+    - https://www.sentinelone.com/blog/deconstructing-powershell-obfuscation-in-malspam-campaigns/
+author: Filip Woźniak
+date: 2024-11-06
+modified: 2024-11-06
+tags:
+    - attack.defense-evasion
+    - attack.t1027
+    - attack.execution
+    - attack.t1059.001
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_4104:
+        ScriptBlockText|contains: 'RightToLeft'
+    condition: selection_4104
+falsepositives:
+    - Legitimate PowerShell scripts
+level: medium