This rule detects the obfuscated use of environment variables to execute PowerShell commands, specifically leveraging techniques that manipulate the command line instruction set. It focuses on detection patterns commonly used in attack scenarios where malicious actors employ obfuscation to hide their intent and evade detection. The detection is primarily based on Script Block Logging in Windows environments, requiring this feature to be enabled for accurate threat detection. The regular expression is crafted to identify potential malicious PowerShell scripts that utilize environment variables in an obfuscated manner, implying a defense evasion tactic aligned with established attack patterns such as T1027 (Obfuscated Files or Information). The rule is particularly critical for identifying sophisticated PowerShell abuse leveraged by threat actors during a cyber-attack, especially those who rely on environment variable manipulation and script block obfuscation. It provides an essential layer of defense in Windows endpoint scenarios.