This detection rule specifically identifies the usage of 'ProtocolHandler.exe' on Windows systems to download files from various protocols, specifically http, https, and ftp. The rule triggers when instances of 'ProtocolHandler.exe' are executed with command-line arguments that indicate a file download using these protocols. The files downloaded using this method are typically stored in the caching directory located at '%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE', making it possible to identify potential unauthorized or malicious downloads by monitoring this executable. As part of the detection mechanism, the rule checks two primary conditions: the running process ends with 'protocolhandler.exe' or has its original file name as 'ProtocolHandler.exe', and that the command line contains any of the specified URL protocols. To ensure that the detected activity is valid, it mandates that all specified conditions must be true for the detection to occur. Given that the usage of protocol-based downloads can be common in legitimate administrative actions, false positives are acknowledged as possible, and thus requires careful analysis post-detection to verify legitimacy.