add encoded url via curl (#1127)

nasbench · web-flow · commit d787a721ae2f · 2026-02-02T17:41:15.000+01:00
diff --git a/datasets/attack_techniques/T1027/url_encoded_curl/linux-sysmon.log b/datasets/attack_techniques/T1027/url_encoded_curl/linux-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:17e68325c4a924d85169fe4a1754c9d74f51a0b4f5f51fb754c02b37d620c961
+size 1755
diff --git a/datasets/attack_techniques/T1027/url_encoded_curl/url_encoded_curl.yml b/datasets/attack_techniques/T1027/url_encoded_curl/url_encoded_curl.yml
@@ -0,0 +1,17 @@
+author: Nasreddine Bencherchali, Splunk
+id: d9db07a0-13da-4fc5-8abe-451188ce3aa1
+date: '2026-02-02'
+description: Generated dataset for URL encoded curl commands used in obfuscation techniques.
+environment: attack_range
+directory: url_encoded_curl
+mitre_technique:
+- T1027
+datasets:
+- name: linux-sysmon
+  path: /datasets/attack_techniques/T1027/url_encoded_curl/linux-sysmon.log
+  sourcetype: sysmon:linux
+  source: Syslog:Linux-Sysmon/Operational
+- name: windows-sysmon
+  path: /datasets/attack_techniques/T1027/url_encoded_curl/windows-sysmon.log
+  sourcetype: XmlWinEventLog
+  source: XmlWinEventLog:Windows-Sysmon/Operational
diff --git a/datasets/attack_techniques/T1027/url_encoded_curl/windows-sysmon.log b/datasets/attack_techniques/T1027/url_encoded_curl/windows-sysmon.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e5ff5e20583627513c6fb99a5763e913fe5c6b6cbc983c13b0c236090968d26c
+size 6249

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:17e68325c4a924d85169fe4a1754c9d74f51a0b4f5f51fb754c02b37d620c961`
	`3`	`+size 1755`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:e5ff5e20583627513c6fb99a5763e913fe5c6b6cbc983c13b0c236090968d26c`
	`3`	`+size 6249`