This rule identifies the use of character arrays and runtime string reconstruction in PowerShell scripts as a method of obfuscation. Such techniques typically involve breaking down strings into individual characters through the use of constructs such as char[] and using indexed access or joining logic. These methods aim to evade static analysis and bypass security mechanisms like the Antimalware Scan Interface (AMSI). The EQL query is designed to scan for PowerShell script blocks that utilize the 'char' keyword, a common indicator of such obfuscation. The process involves examining the content of PowerShell logs, particularly filtering for script block logs (event code 4104), while utilizing special characters to denote detected patterns. The rule's effectiveness hinges on the enforcement of PowerShell Script Block Logging, ensuring that relevant PowerShell operation logs are captured for analysis.