This detection rule monitors for the usage of Curl.exe on Windows systems to download files to suspicious paths, typically used for evading security controls and potentially indicating malicious activity. Specifically, it detects command-line executions that specify output options to redirect file downloads to directories such as AppData, ProgramData, or Public. These behaviors can signify efforts to establish persistence or compromise systems. The detection employs data from Endpoint Detection and Response (EDR) agents, analyzing Sysmon EventID 1 and Windows Event Log Security 4688, as well as CrowdStrike ProcessRollup2 data. The analytics rule provides insights into potential unauthorized data download activities. Should this be validated as malicious activity, it raises risks of code execution exploits or data exfiltration, making it crucial for endpoint security operations.