This detection rule identifies instances where a Roshal Archive (RAR) file or a PowerShell script is downloaded from the internet to an internal host. Such actions are often indicative of initial access attempts where adversaries download encrypted or encoded tools for lateral movement while evading detection. This is particularly concerning in managed network environments where such behavior is atypical and may represent potential malware activity, data exfiltration, or command and control operations. The rules utilize various data sources to monitor network traffic and may flag these downloads from external IPs that are not typically accessed. False positive management is crucial, as legitimate software updates and administrative tasks may sometimes trigger alerts. Investigations can include analyzing source and destination IPs, reviewing logs, and verifying user account activities. Response measures should include isolating affected hosts, scanning for malware, and implementing network segmentation to prevent lateral movement.