Persistence (TA0003)(external, opens in a new tab or window)
Command and Control (TA0011)(external, opens in a new tab or window)
text code block:sequence with maxspan=10s [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.name in ("bash", "zsh", "sh") and process.args in ("-zsh", "-sh", "-bash") and process.args_count == 1 and process.parent.name == "login"] by process.entity_id [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.name in ("curl", "nscurl") and process.args in ("-o", "--output", "--download", "-dl", "-dir", "--directory", "-F", "--form") and not process.args like ("https://upload.elastic.co*", "https://vault-ci-prod.elastic.dev", "https://artifacts.elastic.co*")] by process.parent.entity_id
Install detection rules in Elastic Security
Detect Curl Execution via Shell Profile in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).