This detection rule is designed to identify the use of the command-line tool curl (or its variant nscurl) by macOS systems when they attempt to connect to Google Apps Script endpoints. Threat actors exploit these endpoints to download malicious payloads, leveraging the inherent trust associated with Google URLs to bypass security measures. The rule captures such suspicious activity by monitoring specific process attributes and network traffic to discern potential command and control (C2) communications. The rule includes an investigation guide to help analysts assess the situation accurately and includes steps to confirm if the detected activity aligns with legitimate use cases or indicates potential compromise. False positives are analyzed in detail, identifying scenarios under which business processes might utilize Google Apps Script. This rule emphasizes proactive response measures to address detected incidents effectively, ensuring quick action to mitigate potential security breaches.