This detection rule identifies the execution of the nscurl utility on macOS, specifically monitoring for commands that involve downloading files. Nscurl, a networking utility similar to cURL, can be misused for downloading malicious files or exfiltrating data. The detection mechanism leverages process creation logs to look for instances where nscurl is invoked with specific command-line options indicative of file download activities. The rule uses a targeted approach, checking if the process image ends with '/nscurl' and scanning the command line for terms that suggest a download operation, such as '--download', '--output', or variations thereof. The medium severity level indicates that while the rule may generate false positives, it is still significant for monitoring potentially harmful actions that compromise system integrity. Administrators are advised to correlate reported events with legitimate usage patterns of nscurl in their environment to minimize unnecessary alerts.