This detection rule is designed to identify activity related to the Windows utility 'bitsadmin.exe' that is commonly used for managing background file transfers. Specifically, the rule detects instances where bitsadmin is used to download files from URLs that include direct IP addresses. This is noteworthy as such activity can be indicative of suspicious behavior, typically associated with evasion tactics used by threat actors seeking to download malicious files. The rule employs a combination of selections based on the command line arguments passed to bitsadmin, checking for specific commands that initiate file transfers, and filtering out commonly accepted file transfer methods that do not signify malicious intent. The command line options are analyzed for certain patterns that would indicate an attempted download from an IP address, which would differ from more traditional domain-based URLs. The rule is categorized under high-level threats due to the potential for malicious downloads that result in further compromise or data exfiltration.