Detects oversized command lines used by scripting interpreters (Python, PowerShell, Node.js, Deno) that contain base64 decoding or encoded-command patterns. The rule targets endpoint process start events where the original process.command_line was too large to index, but the full command is available in process.command_line.text. Adversaries often embed long inline encoded payloads to conceal activity and execute payloads across Windows, macOS, and Linux. The detection logic looks for interpreter-specific encoded commands: Python with b64decode or -c containing base64; PowerShell with encodedCommand/-Encoded or frombase64string; Node.js with Buffer.from(base64) or atob; Deno with atob, Buffer.from(base64), or eval. It requires the decoded/encoded command line length to be at least 4000 characters to minimize false positives. Mapped MITRE techniques include T1027 (Obfuscated/Deobfuscated Files or Information), T1140 (Deobfuscate/Decode Files or Information), under Defense Evasion (TA0005) and T1059 (Command and Scripting Interpreter) with subtechniques for PowerShell, Python, and JavaScript. The rule is cross-platform, reflecting multi-OS applicability. Typical responses include isolating the host, terminating the interpreter and descendants, preserving full command line and process tree for forensics, and credential/security remediation if decoupled payloads are confirmed.