This detection rule identifies the use of PowerShell scripts that employ negative index ranges to obfuscate the contents of strings or arrays during execution. This technique is particularly relevant as it allows attackers to reverse strings without using direct reversal functions, thereby sidestepping traditional security measures and avoiding detection during static analysis. The rule focuses on PowerShell Script Block Logging to capture such obfuscated scripts, especially those exceeding 500 characters. It replaces certain string format patterns in the scripts with a specific emoji (🔥) to facilitate counting occurrences of obfuscation patterns. This is done to enhance detection against the background of common evasion techniques. The identified scripts that match criteria for use of negative indices or obfuscated patterns will trigger alerts, helping security teams to respond to potential threats.