This analytic detects potentially malicious use of PowerShell to download URL payloads directly into memory, known as a fileless malware staging technique. It specifically monitors PowerShell Script Block Logging events (EventCode=4104) for commands involving .NET classes such as `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. The importance of this detection lies in its capability to identify behaviors indicative of fileless malware execution, which poses a significant threat as it allows attackers to run code in memory without leaving traditional file-based artifacts that could be detected by security tools. The detection not only highlights potentially dangerous commands but also provides contextual information such as user and machine details associated with the activity, thus facilitating a more comprehensive investigation.