This rule aims to detect obfuscated usage of environment variables to execute PowerShell scripts through specific Windows event logs. It focuses on Windows Event ID 4697, which indicates new services being installed. The detection criteria are based on the presence of certain keywords within the service file name, particularly those associated with command execution, such as 'cmd', 'set', and flags like '/c' and '/r'. These are common indicators of attempts to obscure command execution within a PowerShell environment. By monitoring for these patterns, the rule can identify potential evasion tactics employed by attackers to run malicious scripts or commands without detection. This detection mechanism is crucial for enhancing endpoint security against sophisticated PowerShell-based attacks that utilize environment variables for cloak-and-dagger operations.