This detection rule identifies the abuse of the Windows Defender configuration utility (MpCmdRun.exe) to download remote files, potentially including malware. By monitoring process executions on Windows hosts, the rule tracks specific command-line arguments utilized with MpCmdRun.exe that signify a download action. It utilizes an EQL query that checks for processes starting with MpCmdRun.exe and filters for arguments indicative of file downloads. The rule mentions the risk of attackers using trusted Windows utilities for malicious purposes, emphasizing the importance of closely examining process creation events associated with this utility. The investigation guide included with the rule provides steps for additional inquiries, including examining process trees, user account actions, and network communications related to suspicious downloads.