This rule detects the execution of the Cmdl32 utility with the specific command-line flags "/vpn" and "/lan", which are often leveraged by attackers to facilitate arbitrary file downloads through the manipulation of configuration files. The Cmdl32.exe application, as part of its functionality, can provide remote file access to attackers if not properly monitored. The detection focuses on identifying the launch of Cmdl32.exe where these flags are part of the command arguments, indicating potential malicious activity. This rule requires additional investigation into the file locations and content being accessed to assess the legitimacy of the operation. Entities should be vigilant for unusual Cmdl32 usage, especially when specified flags are employed, as this may indicate an exposure to file downloads that are not authorized.