This detection rule identifies PowerShell scripts that dynamically reconstruct the Invoke-Expression (IEX) command using indexed slices from environment variables. By leveraging character access and string manipulation, attackers can create execution logic that evades static detection mechanisms, including Anti-Malware Scan Interface (AMSI). The rule looks for PowerShell logs that indicate script block logging is enabled, specifically those that contain script blocks exceeding 500 characters in length. It searches for specific patterns typical of dynamic reconstruction to raise alerts when detected. Each instance triggering the rule indicates potential threat activity leveraging obfuscation methods like those defined in the MITRE ATT&CK framework, specifically targeting defense evasion and script execution techniques.