This detection rule focuses on identifying obfuscated PowerShell scripts that utilize MSHTA (Microsoft HTML Application Host) to execute commands. The rule checks for specific terms in the script block text that are typical of obfuscation tactics, including attempts to create VBScript objects and execute commands in a manner that can evade traditional detection mechanisms. The presence of certain keywords such as 'set', 'mshta', and 'vbscript:createobject' within the script block serves as a primary indicator that malicious behavior may be occurring. This rule requires that Script Block Logging is enabled in the Windows environment for effective detection. Given the levels of obfuscation seen in attack techniques (e.g., T1027), this rule plays a critical role in fortifying defenses against sophisticated PowerShell-based attacks.