File Download Via Nscurl - MacOS

Detects the execution of the nscurl utility in order to download files.

Sigma rule (View on GitHub)

 1title: File Download Via Nscurl - MacOS
 2id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
 3status: experimental
 4description: Detects the execution of the nscurl utility in order to download files.
 5references:
 6    - https://www.loobins.io/binaries/nscurl/
 7    - https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
 8    - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
 9author: Daniel Cortez
10date: 2024-06-04
11tags:
12    - attack.defense-evasion
13    - attack.command-and-control
14    - attack.t1105
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection:
20        Image|endswith: '/nscurl'
21        CommandLine|contains:
22            - '--download '
23            - '--download-directory '
24            - '--output '
25            - '-dir '
26            - '-dl '
27            - '-ld'
28            - '-o '
29    condition: selection
30falsepositives:
31    - Legitimate usage of nscurl by administrators and users.
32level: medium

References

Related rules

to-top