The rule identifies the use of the `desktopimgdownldr` utility in Windows to download remote files, which can be used maliciously. Under normal circumstances, this utility configures the desktop image; however, it can be exploited alongside the `/lockscreenurl` argument for downloading arbitrary files, potentially compromising system security. The rule uses EQL (Event Query Language) to monitor processes where `desktopimgdownldr.exe` is being invoked with remote URL parameters, tracking cases where this might indicate Command and Control (C2) activities by an adversary. It triggers alerts based on the presence of this utility's execution in the system logs, analyzing its arguments to ascertain if they involve any suspicious remote file URLs. The detection mechanism is supplemented by an investigation guide discussing how to analyze alerts stemming from this rule, including examining the process tree, checking user behavior, and utilizing Osquery for deeper reconnaissance into DNS caches and services running on user accounts. Additional decision support is provided for isolating potentially infected hosts and conducting follow-up investigations regarding the network behavior related to the compromised process.