Apple Script Execution followed by Network Connection
Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/07"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process
11within a short time period. Adversaries may use malicious scripts for execution and command and control.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Apple Script Execution followed by Network Connection"
18references = [
19 "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
20 "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
21]
22risk_score = 47
23rule_id = "47f76567-d58a-4fed-b32b-21f571e28910"
24setup = """## Setup
25
26This rule requires data coming in from Elastic Defend.
27
28### Elastic Defend Integration Setup
29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
30
31#### Prerequisite Requirements:
32- Fleet is required for Elastic Defend.
33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
34
35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
36- Go to the Kibana home page and click "Add integrations".
37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
38- Click "Add Elastic Defend".
39- Configure the integration name and optionally add a description.
40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
45- Click "Save and Continue".
46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
48"""
49severity = "medium"
50tags = [
51 "Domain: Endpoint",
52 "OS: macOS",
53 "Use Case: Threat Detection",
54 "Tactic: Command and Control",
55 "Tactic: Execution",
56 "Data Source: Elastic Defend",
57 "Resources: Investigation Guide",
58]
59type = "eql"
60
61query = '''
62sequence by host.id, process.entity_id with maxspan=30s
63 [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"]
64 [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and
65 not cidrmatch(destination.ip,
66 "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
67 "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24",
68 "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
69 "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")]
70'''
71note = """## Triage and analysis
72
73> **Disclaimer**:
74> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
75
76### Investigating Apple Script Execution followed by Network Connection
77
78AppleScript, a scripting language for macOS, automates tasks by controlling applications and system functions. Adversaries exploit it to execute scripts that establish unauthorized network connections, facilitating command and control activities. The detection rule identifies such abuse by monitoring the osascript process for script execution followed by network activity, excluding local and private IP ranges, within a short timeframe.
79
80### Possible investigation steps
81
82- Review the process details for the osascript execution event, focusing on the process.entity_id and host.id to understand the context of the script execution.
83- Examine the network connection details associated with the osascript process, particularly the destination IP address, to determine if it is known or suspicious, and check if it falls outside the excluded IP ranges.
84- Investigate the script content or command line arguments used in the osascript execution to identify any potentially malicious or unexpected behavior.
85- Check the timeline of events to see if there are any other related or suspicious activities occurring on the same host around the time of the osascript execution and network connection.
86- Correlate the osascript activity with any other alerts or logs from the same host to identify patterns or additional indicators of compromise.
87- Assess the user account associated with the osascript process to determine if it is a legitimate user or if there are signs of account compromise.
88
89### False positive analysis
90
91- Legitimate automation scripts may trigger the rule if they execute osascript and establish network connections. Review the script's purpose and source to determine if it is authorized.
92- System management tools that use AppleScript for remote administration can cause false positives. Identify these tools and consider creating exceptions for their known processes.
93- Software updates or applications that use AppleScript for network communication might be flagged. Verify the application's legitimacy and update the rule to exclude these specific processes or IP addresses.
94- Development environments that utilize AppleScript for testing or deployment may inadvertently match the rule. Ensure these environments are recognized and excluded from monitoring if they are trusted.
95- Regularly review and update the list of excluded IP ranges and processes to ensure they reflect the current network and application landscape, minimizing unnecessary alerts.
96
97### Response and remediation
98
99- Immediately isolate the affected macOS host from the network to prevent further unauthorized access or data exfiltration.
100- Terminate the osascript process identified in the alert to stop any ongoing malicious activity.
101- Conduct a thorough review of the executed AppleScript to identify any malicious commands or payloads and remove any associated files or scripts from the system.
102- Reset credentials for any accounts that were accessed or could have been compromised during the incident.
103- Apply security patches and updates to the macOS system to address any vulnerabilities that may have been exploited.
104- Monitor network traffic for any further suspicious activity originating from the affected host or similar patterns across other systems.
105- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised."""
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1059"
112name = "Command and Scripting Interpreter"
113reference = "https://attack.mitre.org/techniques/T1059/"
114[[rule.threat.technique.subtechnique]]
115id = "T1059.002"
116name = "AppleScript"
117reference = "https://attack.mitre.org/techniques/T1059/002/"
118
119
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1105"
129name = "Ingress Tool Transfer"
130reference = "https://attack.mitre.org/techniques/T1105/"
131
132
133[rule.threat.tactic]
134id = "TA0011"
135name = "Command and Control"
136reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Apple Script Execution followed by Network Connection
AppleScript, a scripting language for macOS, automates tasks by controlling applications and system functions. Adversaries exploit it to execute scripts that establish unauthorized network connections, facilitating command and control activities. The detection rule identifies such abuse by monitoring the osascript process for script execution followed by network activity, excluding local and private IP ranges, within a short timeframe.
Possible investigation steps
- Review the process details for the osascript execution event, focusing on the process.entity_id and host.id to understand the context of the script execution.
- Examine the network connection details associated with the osascript process, particularly the destination IP address, to determine if it is known or suspicious, and check if it falls outside the excluded IP ranges.
- Investigate the script content or command line arguments used in the osascript execution to identify any potentially malicious or unexpected behavior.
- Check the timeline of events to see if there are any other related or suspicious activities occurring on the same host around the time of the osascript execution and network connection.
- Correlate the osascript activity with any other alerts or logs from the same host to identify patterns or additional indicators of compromise.
- Assess the user account associated with the osascript process to determine if it is a legitimate user or if there are signs of account compromise.
False positive analysis
- Legitimate automation scripts may trigger the rule if they execute osascript and establish network connections. Review the script's purpose and source to determine if it is authorized.
- System management tools that use AppleScript for remote administration can cause false positives. Identify these tools and consider creating exceptions for their known processes.
- Software updates or applications that use AppleScript for network communication might be flagged. Verify the application's legitimacy and update the rule to exclude these specific processes or IP addresses.
- Development environments that utilize AppleScript for testing or deployment may inadvertently match the rule. Ensure these environments are recognized and excluded from monitoring if they are trusted.
- Regularly review and update the list of excluded IP ranges and processes to ensure they reflect the current network and application landscape, minimizing unnecessary alerts.
Response and remediation
- Immediately isolate the affected macOS host from the network to prevent further unauthorized access or data exfiltration.
- Terminate the osascript process identified in the alert to stop any ongoing malicious activity.
- Conduct a thorough review of the executed AppleScript to identify any malicious commands or payloads and remove any associated files or scripts from the system.
- Reset credentials for any accounts that were accessed or could have been compromised during the incident.
- Apply security patches and updates to the macOS system to address any vulnerabilities that may have been exploited.
- Monitor network traffic for any further suspicious activity originating from the affected host or similar patterns across other systems.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.
References
Related rules
- MacOS Installer Package Spawns Network Event
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Apple Scripting Execution with Administrator Privileges
- Creation of Hidden Login Item via Apple Script
- EggShell Backdoor Execution