This detection rule identifies potentially malicious activity involving Microsoft BITS (Background Intelligent Transfer Service), specifically focusing on outbound connections to domains with uncommon top-level domains (TLDs). BITS is often exploited by attackers for command and control (C2) purposes due to its ability to operate under the radar, making it a target for detection. The rule utilizes a user agent string starting with 'Microsoft BITS/' and cross-references this with observed connection patterns to TLDs that are not typically associated with legitimate operations. Domains such as those ending in '.com', '.net', '.org', '.scdn.co', and '.sfx.ms' are excluded from detection to minimize false positives, while uncommon TLDs could indicate potential nefarious intent. The rule is applicable in environments where BITS is expected to be used for normal operations, and it aims to catch malicious behavior without disrupting legitimate software operations.