This detection rule identifies the downloading of potentially malicious file types from hosts that belong to suspicious top-level domains (TLDs). The focus is on specific file extensions known to be frequently associated with malware distribution, including .exe, .vbs, .bat, .rar, .ps1, .doc, among others. The rule checks if the requests originate from domains that end with any of the specified suspicious TLDs such as .country, .gdn, .loan, .top, and more. If the requested file matches both the listed extensions and the host's TLD, an alert is generated. This rule is particularly useful for monitoring and preventing initial access attempts via malicious downloads. Careful consideration has been given to potential false positives, including legitimate software downloads that might also fall under these criteria.