This detection rule aims to identify scripts executed in PowerShell that utilize the Windows Clip.exe utility in an obfuscated manner, indicative of potential defense evasion tactics employed by attackers. The rule specifically looks for patterns in PowerShell script block text where the command 'echo' is used in conjunction with 'clip', followed by the invocation of clipboard functions such as 'Clipboard' or 'invoke'. Such behavior can suggest that an attacker is attempting to exfiltrate data or mask their activities by manipulating clipboard functionalities. To enable this detection, it is crucial that Script Block Logging is turned on, allowing the logs to capture the necessary command executions and their contexts. This rule is particularly relevant in environments where PowerShell is heavily used, as it highlights behaviors linked to evasion techniques associated with tactics outlined in MITRE ATT&CK frameworks, particularly in execution and defense evasion categories.