This detection rule targets the invocation of "curl.exe" on Windows systems, particularly when it includes a custom "User-Agent" header in its command line. Attackers often use curl to download or exfiltrate sensitive data from specified domains, which may only respond to particular User-Agent strings. By monitoring process creation events for the execution of curl, this rule aims to identify potentially malicious activities that leverage custom User-Agent strings to bypass security measures or conduct data theft. The detection logic includes criteria to check if the image path ends with "\curl.exe" or if the original file name is "curl.exe". It additionally inspects the command line for the presence of a "User-Agent" string (identified by the command line containing "User-Agent:" or using header specifications with "-H"). The rule is designed to operate with a medium severity level, indicating that while it does not represent an immediate threat, it warrants attention due to the potential for misuse of the utility. The rule will be useful for security teams aiming to enhance their visibility into process execution and behaviors indicative of data exfiltration attempts.