LoFP / legitimate usage of nscurl by administrators and users.

Techniques

t1105

Sample rules

File Download Via Nscurl - MacOS

source: sigma
technicques:
- t1105

Description

Detects the execution of the nscurl utility in order to download files.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - '--download '
  - '--download-directory '
  - '--output '
  - '-dir '
  - '-dl '
  - -ld
  - '-o '
  Image|endswith: /nscurl