This detection rule identifies potentially malicious use of PowerShell's FromBase64String command combined with gzip compression, which can indicate an attempt to decode base64 encoded Gzip archives. Attackers frequently exploit this technique to load and execute malicious content directly into memory without writing it to disk, thereby evading traditional file-based detection mechanisms. The rule inspects process creation events looking for command lines that contain specific indicators: 'FromBase64String', 'MemoryStream', and 'H4sI', the latter being the prefix for gzip compressed data. Given the stealthy nature of this behavior, the rule aims to catch instances where abnormal command patterns are detected, which could signify an attempt to compromise the system. Key points to consider are that legitimate administrative scripts may also trigger this rule, leading to potential false positives. Thus, further analysis may be necessary to differentiate between benign and harmful activity.