This detection rule aims to identify potential misuse of the Web Distributed Authoring and Versioning (WebDAV) protocol, specifically focusing on downloads initiated with a user agent string that starts with 'Microsoft-WebDAV-MiniRedir/'. The rule monitors HTTP GET requests in proxy logs and flags any requests that fit this criteria. The ability to detect these specific WebDAV requests is crucial, as they can often be associated with command-and-control (C2) activities where an attacker is leveraging the protocol to download malicious payloads using a technique known as DownloadCradle. This method allows threat actors to execute remote payloads while avoiding traditional download detection by exploiting administrative scripts. The implementation of the rule is straightforward, leveraging simple string matching in HTTP request logs to catch deviations from expected behavior, with false positive considerations noted, particularly in legitimate administrative contexts.