diff --git a/eqllib/analytics/command-and-control/t1105-curl-download-bundlore.toml b/eqllib/analytics/command-and-control/t1105-curl-download-bundlore.toml
new file mode 100644
index 0000000..c6f276f
--- /dev/null
+++ b/eqllib/analytics/command-and-control/t1105-curl-download-bundlore.toml
@@ -0,0 +1,18 @@
+[analytic.metadata]
+categories = ["detect"]
+confidence = "high"
+contributors = ["Tony Lambert"]
+created_date = "05/17/2019"
+description = "Identifies curl with command line options indicating OSX/Bundlore downlods."
+id = "b25aa548-7937-11e9-8f5c-d46d6d62a49e"
+name = "Curl OSX/Bundlore Download"
+os = ["macos"]
+tactics = ["Remote File Copy"]
+techniques = ["T1105"]
+updated_date = "05/17/2019"
+
+[analytic]
+query = '''
+process where subtype.create and
+    process_name == "curl" and command_line == "*mmstub.tar.gz*"
+'''
diff --git a/eqllib/analytics/command-and-control/t1105-curl-download-shlayer.toml b/eqllib/analytics/command-and-control/t1105-curl-download-shlayer.toml
new file mode 100644
index 0000000..3232780
--- /dev/null
+++ b/eqllib/analytics/command-and-control/t1105-curl-download-shlayer.toml
@@ -0,0 +1,18 @@
+[analytic.metadata]
+categories = ["detect"]
+confidence = "high"
+contributors = ["Tony Lambert"]
+created_date = "05/17/2019"
+description = "Identifies curl with command line options indicating OSX/Shlayer downlods."
+id = "74085e16-7937-11e9-8f5c-d46d6d62a49e"
+name = "Curl OSX/Shlayer Download"
+os = ["macos"]
+tactics = ["Remote File Copy"]
+techniques = ["T1105"]
+updated_date = "05/17/2019"
+
+[analytic]
+query = '''
+process where subtype.create and
+    process_name == "curl" and command_line == "*-f0L*"
+'''