← Back to Explore
jamf_protectinformationalTTP
File Download Curl Insecure
This detection functions by monitoring and report on attempts using curl to download a file using the -k argument, bypassing ssl validations.
Detection Query
($event.process.path.lastPathComponent IN {"curl", "nscurl"} AND (ANY $event.process.args == "-k")) AND $event.type IN {0, 3, 4}Author
Jamf
Data Sources
File System EventsmacOS Endpoint Security
Platforms
macos
Tags
Visibility
Raw Content
---
name: FileDownloadCurlInsecure
uuid: bdc5b2ad-055c-416e-a808-26b6d00b347f
longDescription: This detection functions by monitoring and report on attempts using curl to download a file using the -k argument, bypassing ssl validations.
level: 0
inputType: GPFSEvent
tags:
snapshotFiles: []
filter: ($event.process.path.lastPathComponent IN {"curl", "nscurl"} AND
(ANY $event.process.args == "-k")) AND
$event.type IN {0, 3, 4}
actions:
- name: Log
context: []
categories:
- Visibility
version: 1
severity: Informational
shortDescription: Curl has been used with the -k argument to download a file programatically.
label: File Download Curl Insecure
remediation: Review where the file has been downloaded from.
MitreCategories:
- Visibility