AN0167: Analytic 0167
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.
Analyst context for executives and security teams
This analytic is useful because it focuses on a common macOS pattern that can indicate downloaded content being staged locally: curl or wget runs, makes a network connection, and creates a file in a temporary or user-specific directory. For leaders, the value is not the tool names alone—curl and wget are legitimate—but whether the organization can correlate process, network, and file evidence quickly enough to distinguish routine administration from suspicious download-and-stage activity.
Executive priority
Prioritize this as a coverage-validation item for macOS monitoring and incident readiness. It helps answer whether SOC and IR teams can prove what downloaded a file, where it came from, and where it landed. That evidence supports business continuity decisions during an investigation, audit defensibility for endpoint logging, and practical control prioritization around macOS endpoint visibility. Because ATT&CK supplies no tactic, relationship, or mitigation context for this object, it should be treated as a detection building block rather than a standalone risk conclusion.
Technical view
For macOS, validate whether detection logic can correlate three events in sequence: execution of curl or wget, an associated outbound network connection, and creation of a file in temporary or user-specific directories. The analytic should not alert on process name alone; curl and wget are widely used by administrators, developers, scripts, and software management workflows. SOC teams should tune around expected automation, known management paths, recurring destinations, parent processes, command-line context where available, and whether the created file location is unusual for the initiating user or process. No official detection implementation is provided, so local telemetry quality and correlation capability determine usefulness.
Likely telemetry
- macOS process execution events for curl and wget
- Process command-line, parent process, user, and working directory metadata where collected
- Outbound network connection metadata tied to the initiating process
- File creation events in temporary directories
- File creation events in user-specific directories
Detection direction
- Confirm that endpoint telemetry can join process execution, network connection, and file creation events on macOS within a defensible time window.
- Tune out known administrative, developer, update, and management workflows that legitimately use curl or wget.
- Review parent process and user context to separate expected scripted activity from unusual interactive or application-launched downloads.
- Validate visibility into temporary and user-specific directories, since the analytic depends on file creation location.
- Avoid treating curl or wget execution alone as high confidence; the supplied analytic depends on the full behavioral chain.
Mitigation priorities
- First, ensure macOS endpoint logging captures process, network, and file creation evidence needed for the analytic.
- Next, baseline legitimate curl and wget usage by administrators, developer tools, scripts, and management agents.
- Then, use least-privilege and endpoint control reviews to reduce unnecessary user or process ability to stage files in sensitive workflows where appropriate.
- Finally, incorporate this analytic into IR playbooks so responders know how to collect the downloaded file path, source connection details, executing user, and parent process before making containment decisions.
Analyst notes and limits
This object is a detection analytic, not a technique. Its practical value is correlation: curl or wget execution followed by network activity and file creation in temporary or user-specific locations on macOS. The absence of supplied relationships means there is no ATT&CK-linked procedure, software, group, tactic, or mitigation context to elevate priority beyond macOS detection engineering and IR evidence readiness.
Official detection content is not provided, tactics are not specified, and no relationship context is supplied. The summary cannot infer attacker intent, impact, prevalence, active exploitation, attribution, or coverage. Local environment baselines are required because curl and wget are legitimate tools and may generate substantial benign activity.
Analytic 0167
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 60e9ab9ec6f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0167Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.