This rule detects the final stage of a Cobalt Strike PowerShell loader on Windows endpoints. It targets the in-memory payload retrieval and execution pattern used by the loader, specifically a PowerShell ScriptBlockText that executes a gzip-compressed payload via a pipeline to IEX (Invoke-Expression). The trigger is anchored to Windows PowerShell Script Block Logging Event ID 4104 and the exact payload pattern that decompresses the payload in memory. The detection is designed to work with endpoint telemetry from EDR agents, requiring process context (GUID, name, parent, and full command line) and mapping to the CIM Endpoint Processes data model to provide reliable correlation. Drilldown searches and risk views are included to surface results by user/host and to analyze related risk events over time. Note that legitimate red-team or security-testing activities may produce similar patterns; a whitelist of approved tools and testing windows is recommended to reduce false positives.