This detection rule identifies PowerShell scripts that utilize obfuscation techniques including string reordering and runtime reconstruction. These techniques are often implemented by threat actors to evade security tools like the Antimalware Scan Interface (AMSI) and to hinder static analysis efforts. The rule operates on logs collected from PowerShell operations and looks for specific indicators in script blocks wherein the length exceeds 500 characters and patterns indicative of obfuscation methods are detected. The identification of such scripts can provide insights into potential malicious activity, aiding in the defense against advanced threats targeting Windows environments. To ensure this rule functions correctly, the PowerShell Script Block Logging policy must be enabled, either via Group Policy or registry edits. With a low-risk score of 21, the rule targets key tactics from the MITRE ATT&CK framework dedicated to defense evasion and execution through scripting.