Curl Execution with Percent Encoded URL

The following analytic detects the execution of the curl utility where the command line includes percent-encoded characters and explicit file output options (such as -o or --output). It leverages process execution telemetry from Endpoint Detection and Response (EDR) data sources to identify curl commands that may be using URL encoding to obfuscate download locations or payload paths. This behavior is notable because percent-encoded URLs are commonly used by adversaries to evade simple string-based detections, hide malicious infrastructure, or bypass network security controls. When combined with file download behavior, this activity may indicate malware staging, payload retrieval, or secondary tool deployment. Analysts should review the decoded URL, destination host, parent process, and downloaded file to determine whether the activity is authorized or malicious. The analytic calculates the number of percent (%) characters in the curl command line and triggers when a threshold of three or more is met, indicating potential URL encoding. Adjust the threshold as needed based on your environment and tuning requirements.