curl

macOS download T1105

Transfer data from servers. macOS ships with curl by default. Used for C2, payload download, and exfiltration.

Binary Paths

  • /usr/bin/curl

Glob Patterns

Pattern Notes
cur?
Single wildcard replaces 'l'
c*l
Star matches 'ur'
cu[r]l
Bracket class on third char
c?r?
Two wildcards
/usr/bin/cur?
Full path wildcard
/???/bin/curl
Directory obfuscation
/???/???/c*l
Full path with mixed wildcards

Pattern Tester

$

Try typing curl or a full path like /usr/bin/curl

YARA Rule

Auto-generated detection rule for curl 

      

    


    
    

      
Platform Notes

      
zsh (default shell on macOS) has stricter glob behavior than bash. By default, zsh will error if a glob matches no files (nomatch error). Use setopt NO_NOMATCH or noglob prefix to suppress. Also, zsh supports extended globs with setopt EXTENDED_GLOB.



    

    

    
    

      
Resources

      
    

    

    

  


  

    
    
    
    
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
      
    
      
    

      
      
        ← Previous
        curl
      
      

      Catalog

      
      
        Next →
        dd