← Back to Explore
sigmamediumHunting
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
Detection Query
selection:
Image|endswith: /nscurl
CommandLine|contains:
- "--download "
- "--download-directory "
- "--output "
- "-dir "
- "-dl "
- -ld
- "-o "
condition: selection
Author
Daniel Cortez
Created
2024-06-04
Data Sources
macosProcess Creation Events
Platforms
macos
References
Tags
attack.defense-evasionattack.command-and-controlattack.t1105
Raw Content
title: File Download Via Nscurl - MacOS
id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
status: test
description: Detects the execution of the nscurl utility in order to download files.
references:
- https://www.loobins.io/binaries/nscurl/
- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
author: Daniel Cortez
date: 2024-06-04
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/nscurl'
CommandLine|contains:
- '--download '
- '--download-directory '
- '--output '
- '-dir '
- '-dl '
- '-ld'
- '-o '
condition: selection
falsepositives:
- Legitimate usage of nscurl by administrators and users.
level: medium