This rule is designed to detect the obfuscation techniques often used in PowerShell scripts, particularly from the Invoke-Obfuscation toolkit. By monitoring process creation events, this detection checks for command line patterns that suggest obfuscation is being employed to hide malicious intentions. The detection looks for specific command line structures that signify the use of PowerShell obfuscation techniques, such as encoded strings or the use of environment variables linked to paths. The rule is crucial for identifying potential evasion tactics, as attackers frequently leverage obfuscation to bypass security measures and execute harmful scripts. This makes the rule particularly relevant for defending against advanced persistent threats exploiting PowerShell capabilities. The ruleset addresses selection patterns indicative of obfuscation, applying a filter to reduce false positives while maintaining a focus on high-confidence detections. The underlying goal is to enhance visibility into potentially malicious behaviors that utilize this common evasion technique.