curl

macOS download T1105

Transfer data from servers. macOS ships with curl by default. Used for C2, payload download, and exfiltration.

Binary Paths

/usr/bin/curl

Glob Patterns

Pattern	Wildcards	Notes
`cur?`	?	Single wildcard replaces 'l'
`c*l`	*	Star matches 'ur'
`cu[r]l`	[]	Bracket class on third char
`c?r?`	?	Two wildcards
`/usr/bin/cur?`	?	Full path wildcard
`/???/bin/curl`	?	Directory obfuscation
`/???/???/c*l`	? *	Full path with mixed wildcards

Platform Notes

zsh (default shell on macOS) has stricter glob behavior than bash. By default, zsh will error if a glob matches no files (nomatch error). Use setopt NO_NOMATCH or noglob prefix to suppress. Also, zsh supports extended globs with setopt EXTENDED_GLOB.

Resources

https://attack.mitre.org/techniques/T1105/
https://curl.se/docs/manpage.html