diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
index cdd6211d3..def2ed4c0 100644
--- a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
+++ b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
@@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from Java host process (e.g. log4j e
 status: experimental
 author: Andreas Hunkeler (@Karneades), Florian Roth
 date: 2021/12/17
-modified: 2021/12/18
+modified: 2021/12/22
 tags:
     - attack.initial_access
     - attack.persistence
@@ -35,6 +35,7 @@ detection:
             - '\scriptrunner.exe'
             - '\mftrace.exe'
             - '\AppVLP.exe'
+            - '\curl.exe'
     condition: selection
 falsepositives:
     - Legitimate calls to system binaries