Apple Script Execution followed by Network Connection
Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/07"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process
13within a short time period. Adversaries may use malicious scripts for execution and command and control.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Apple Script Execution followed by Network Connection"
20references = [
21 "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
22 "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
23]
24risk_score = 47
25rule_id = "47f76567-d58a-4fed-b32b-21f571e28910"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"]
28type = "eql"
29
30query = '''
31sequence by host.id, process.entity_id with maxspan=30s
32 [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"]
33 [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and
34 not cidrmatch(destination.ip,
35 "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
36 "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24",
37 "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
38 "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")]
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1059"
46name = "Command and Scripting Interpreter"
47reference = "https://attack.mitre.org/techniques/T1059/"
48[[rule.threat.technique.subtechnique]]
49id = "T1059.002"
50name = "AppleScript"
51reference = "https://attack.mitre.org/techniques/T1059/002/"
52
53
54
55[rule.threat.tactic]
56id = "TA0002"
57name = "Execution"
58reference = "https://attack.mitre.org/tactics/TA0002/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1105"
63name = "Ingress Tool Transfer"
64reference = "https://attack.mitre.org/techniques/T1105/"
65
66
67[rule.threat.tactic]
68id = "TA0011"
69name = "Command and Control"
70reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
-
0.0.0.0/8 "This network" [RFC791], Section 3.2 1981-09 N/A True False False False True 0.0.0.0/32 "This host on this network" [RFC1122], Section 3.2.1.3 1981-09 N/A True False False False True 10.0...
Read More
Related rules
- MacOS Installer Package Spawns Network Event
- Apple Scripting Execution with Administrator Privileges
- Creation of Hidden Login Item via Apple Script
- EggShell Backdoor Execution
- Execution via Electron Child Process Node.js Module