This rule detects Windows command obfuscation where a target command is constructed on-the-fly by extracting substrings from environment variable values (using the CMD :~ syntax). Attackers abuse this technique to hide the true intent of a command and evade basic detections. The technique has been observed in malware families such as Cobalt Strike and Meterpreter. The rule flags process command lines that contain substring extractions from environment variables (e.g., patterns like %VAR:~start,length% or similar) and aggregates telemetry by process context to surface suspicious activity. It relies on endpoint telemetry (process creation events) and is designed to work with data ingested from EDR agents that provide process GUIDs, process names, parent processes, and full command lines, normalized to the Endpoint data model (CIM). Implementations typically ingest Sysmon Event ID 1, Windows Security Event Log 4688, and CrowdStrike ProcessRollup2 data, mapped to the Processes node, to enable reliable correlation and attribution. The rule includes remediation guidance through whitelist-based false positive reduction and provides drilldown searches for user/destination context and risk analysis over time. It carries a MITRE ATT&CK tag (T1027.010) to indicate obfuscated/hidden information techniques. Overall, this rule helps security teams identify sophisticated command-line obfuscation attempts on Windows endpoints that use environment-variable substrings to reconstruct malicious commands. It should be tuned to minimize false positives by validating legitimate administrative scripts and ensuring proper normalization of command-line telemetry through CIM/Splunk add-ons.