This detection rule aims to identify potential threats related to the arbitrary file downloading capabilities of the PresentationHost.exe utility in Windows environments. PresentationHost.exe is responsible for executing .xbap (XAML Browser Application) files, which can be leveraged by attackers to download malicious files from external sources. The rule specifically monitors for instances where PresentationHost.exe is executed, particularly when its command line arguments contain URLs indicating file download protocols such as HTTP, HTTPS, or FTP. The detection logic utilizes a combination of image path checks and command line analysis to trigger alerts. It identifies instances where the process name ends with 'presentationhost.exe' or where the original filename matches 'PresentationHost.exe'. If the command line includes any known file transfer protocols like http://, https://, or ftp://, and the process creation event meets these selection criteria, the rule will flag this activity as a concern, alerting security personnel to a potential risk of unauthorized file downloads. The specified level of concern for this rule is classified as medium, suggesting that while it is not an immediate threat, it warrants attention due to the nature of the actions being monitored.