This rule aims to detect and flag PowerShell scripts that utilize the 'FromBase64String' method to decode Gzip archives, a common technique employed by attackers to execute malicious payloads in memory. The detection leverages the 'ScriptBlockText' component to analyze script logs for specific markers associated with this behavior. If a script contains terms like 'FromBase64String', 'MemoryStream', and the Gzip header 'H4sI', it triggers an alert. As per the rule's requirements, Script Block Logging must be enabled on Windows to capture these scripts. While this detection is effective in recognizing unauthorized activity, it may yield false positives from legitimate administrative scripts that also use these functions for valid purposes. To mitigate this, analysts are advised to review their environment for normal usages of similar script patterns to ensure proper context is considered in alerts.