This detection rule identifies obfuscated PowerShell commands that invoke `IEX` (Invoke-Expression) using the Invoke-Obfuscation framework. The Invoke-Obfuscation tool generates various transformed PowerShell command snippets that can be used by attackers to execute malicious code without being easily recognized by traditional detection measures. The rule targets multiple logical expressions that are characteristic of these obfuscated commands, specifically focusing on variations that employ obfuscation tactics such as string manipulation, environment variable references, and dynamic command construction. By monitoring `Event ID 4697`, which logs changes to the service configuration, the rule captures suspicious activity that matches known obfuscation patterns, enhancing the security posture by detecting potentially harmful execution paths through PowerShell. Given the high-level alert status, users are urged to address any triggered events promptly to prevent exploitation by threat actors.