This rule aims to detect suspicious file downloads originating from known file sharing and paste-sharing domains, which could indicate potential security threats such as malware distribution or file tampering. Specifically, it scrutinizes download activity for certain file types or extensions that are commonly exploited for malicious purposes, including executables and scripts. The detection mechanism operates by analyzing create stream hash logs on Windows platforms, identifying whether files from specified, suspicious domains are obtained with designated extensions that could be potentially harmful. The rule is experimental, indicating ongoing refinement and adaptation to emerging threats, and employs a high level of monitoring to mitigate risks associated with dubious file downloads. The rule incorporates detection conditions requiring both the domain of download and specific malicious file extensions to be present for an alert to be generated, thus reducing the chance for false positives while maintaining robust threat identification capabilities.