Technical summary: The rule detects a PowerShell abuse pattern where environment variables are used to store payload commands or encoded content and are then executed via Invoke-Expression (iex) or its alias. It relies on PowerShell Script Block Logging (Event ID 4104) to inspect the de-obfuscated script block before execution. Detection triggers when ScriptBlockText contains environment-variable references (e.g., $env: or [Environment]::SetEnvironmentVariable) in combination with an execution call (invoke-expression, iex) or related constructs such as [scriptblock]::Create. A regex is used to identify patterns that mix environment variables with code execution, including obfuscated or runtime-constructed code. This behavior is commonly employed by loaders and stagers and has been observed in campaigns like VIP Keylogger. The rule supports correlation with related risk events and maps to MITRE ATT&CK technique T1059.001 (PowerShell).