This rule is designed to detect obfuscated PowerShell commands being executed through standard input (stdin). It focuses on identifying patterns that suggest complex scripts are being manipulated using the 'set' command in a way that may be indicative of an evasion technique often employed by threat actors. The detection is triggered when the ScriptBlockText from PowerShell is matched against a regular expression that looks for specific constructs involving the 'set' command and its interaction with environment variables or the 'invoke' cmdlet, combined with a particular sequence of commands. This approach helps in identifying cases where attackers might obfuscate their scripts to bypass security detections. The rule requires that Script Block Logging be enabled on the Windows environment, which is necessary for capturing and analyzing PowerShell execution in detail. Overall, it enhances visibility into potential malicious activities leveraging PowerShell's scripting capabilities.