This detection rule is designed to identify the use of token obfuscation techniques in PowerShell scripts, particularly those that utilize the Invoke-Obfuscation framework. Token obfuscation is a common technique employed by malicious actors to evade detection and hide the true intent of their scripts by altering the representation of commands and parameters. The rule leverages regular expressions to detect specific patterns associated with token obfuscation, including the use of backticks for command and parameter obfuscation, and the structured use of environmental variables in a manner that obscures their standard representation. The rule mandates that Script Block Logging be enabled on the Windows system to capture the necessary script blocks for analysis. The detection logic includes a selection of patterns indicating obfuscation, along with several filters to refine detection and minimize false positives, focusing on specific script behaviors and script paths commonly associated with legitimate activity. The use of filters allows for the exclusion of benign behaviors, ensuring that genuine administrative scripts running in environments like Microsoft Exchange are not mistakenly flagged. Overall, this rule enhances the security posture by monitoring for advanced evasion techniques that typical security measures may fail to detect.