This detection rule identifies the execution of an obfuscated PowerShell OneLiner, which is often used to download and execute malicious PowerShell modules directly in memory. The rule specifically looks for processes beginning with 'powershell.exe' that contain certain suspicious patterns in their command line arguments. These patterns include local HTTP URLs, specific PowerShell syntax indicating the use of `Invoke-RestMethod` (IRM), and hints of obfuscation and module import. Such tactics are commonly leveraged by attackers to avoid detection and reduce their footprint on the compromised system, as they do not necessarily drop files onto the disk. The rule is useful for detecting potential malicious activity associated with remote code execution and persistence mechanisms exploiting PowerShell capabilities.