This detection rule identifies potentially malicious downloads executed via the Background Intelligent Transfer Service (BITS) in Windows environments, focusing specifically on those initiated from fully qualified domain names (FQDNs) that possess uncommon or suspicious top-level domains (TLDs). BITS is often misused by adversaries to persistently download and execute malicious payloads without alerting conventional security mechanisms. The rule works by monitoring event ID 16403, which indicates a BITS transfer job creation. It includes a filter that explicitly disregards well-known, legitimate TLDs while flagging others outside of this predefined safe list. By establishing these parameters, the rule aims to alert security teams to potential indicators of compromise (IoCs) associated with transfer jobs likely executed by malicious actors.