This detection rule identifies obfuscated PowerShell scripts that reconstruct the Invoke-Expression (IEX) command through various string manipulations. Attackers often leverage this technique to bypass security measures and execute malicious commands without detection. The obfuscation utilizes methods such as '.IndexOf.ToString()' to convert method references into string metadata, allowing for the extraction of significant characters. This rule triggers alerts when PowerShell scripts exceeding 500 characters are detected, specifically looking for suspicious patterns indicative of IEX reconstruction that utilizes certain keywords related to obfuscation. It is essential that PowerShell Script Block Logging is enabled for this detection to function correctly. The risk score is set to 21, indicating a low severity threat. The rule aligns with various techniques from the MITRE ATT&CK framework, including defense evasion tactics and command execution via PowerShell, enhancing its relevance and applicability in detecting sophisticated threats. Given the dynamic nature of threat tactics, this rule serves as a proactive measure against potential exploitation via obfuscated PowerShell scripts.