This detection rule identifies potentially malicious PowerShell scripts that utilize memory streams as a means for backing store, particularly utilizing Event Code 4104 logs. It is designed to track instances where new objects are created with memory streams, which is suspect behavior indicative of in-memory code execution. Attackers often leverage such techniques to hide malicious payloads from traditional file-based detection systems. By executing code directly from memory, they can evade detection while potentially maintaining persistence and executing arbitrary commands on systems. The implementation of this rule requires enabling PowerShell Script Block Logging across endpoints to ensure that relevant logging data is captured and available for analysis.