This detection rule identifies potentially malicious file downloads executed through curl.exe from direct IP addresses. By monitoring process creation activities on Windows systems, it captures specific command-line arguments indicating suspicious file download behavior. The rule centers around the presence of curl.exe in the command line combined with parameters that suggest files are being downloaded from IP addresses rather than domain names. This could indicate a threat actor's attempt to fetch malicious payloads directly. Key indicators involve the command line containing specific patterns indicating an IP address download and flags that suggest file saving behaviors. The rule takes into consideration various file extensions often associated with executable or scripted content that could pose security risks. By leveraging this detection approach, organizations can proactively mitigate risks related to unauthorized file downloads. Potential false positives have been noted as 'Unknown', indicating the need for contextual analysis of triggered alerts.