File Download Via Nscurl - MacOS

 1title: File Download Via Nscurl - MacOS
 2id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
 3status: experimental
 4description: Detects the execution of the nscurl utility in order to download files.
 5references:
 6    - https://www.loobins.io/binaries/nscurl/
 7    - https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
 8    - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
 9author: Daniel Cortez
10date: 2024/06/04
11tags:
12    - attack.defense_evasion
13    - attack.command_and_control
14    - attack.t1105
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection:
20        Image|endswith: '/nscurl'
21        CommandLine|contains:
22            - '--download '
23            - '--download-directory '
24            - '--output '
25            - '-dir '
26            - '-dl '
27            - '-ld'
28            - '-o '
29    condition: selection
30falsepositives:
31    - Legitimate usage of nscurl by administrators and users.
32level: medium

References

• nscurl

  

  Download, upload, and read files.

  
  Read More

• How to Diagnose App Transport Security Issues using nscurl and OpenSSL

  

  Learn how to test the best possible options for App Transport Security on your #iOS or #macOS application using nscurl and #openSSL. #networking #iOSDev #secureNetworking #networkDebugging

  
  Read More

• Nscrurl Full Help

  

  Nscrurl Full Help. GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

Related rules

• Curl Download And Execute Combination
• Import LDAP Data Interchange Format File Via Ldifde.EXE
• File Download Via Windows Defender MpCmpRun.EXE
• Password Protected ZIP File Opened (Suspicious Filenames)
• PrintBrm ZIP Creation of Extraction