This detection rule identifies instances when the curl command is executed via a user’s shell profile (such as .zshrc or .bashrc) upon login. The presence of a curl command in these shell profiles can indicate malicious intent, as it allows attackers to establish persistence and deliver payloads automatically each time a user opens a terminal session. The rule tracks the execution of curl commands that include specific flags intended for downloading from given URLs, thereby indicating the potential for unauthorized data retrieval or system compromise. In the context of a macOS environment, the rule relies on analyzing process execution events that meet predefined conditions. The investigation guide accompanying the rule outlines the necessary steps to validate a detection, including reviewing shell profile modifications, analyzing process arguments, and checking for known malicious URLs. Additionally, it emphasizes the importance of understanding legitimate use cases for curl commands to minimize false positives, as legitimate users may also employ curl for benign tasks. The overall priority of patrolling such executions stems from the possibility that these could serve as beacons for persistence or preparations for subsequent commands controlled by an attacker.