Shell Execution via Apple Scripting

  1[metadata]
  2creation_date = "2020/12/07"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
 11doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Shell Execution via Apple Scripting"
 18references = [
 19    "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
 20    "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
 21]
 22risk_score = 47
 23rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "medium"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: macOS",
 53    "Use Case: Threat Detection",
 54    "Tactic: Execution",
 55    "Data Source: Elastic Defend",
 56    "Resources: Investigation Guide",
 57]
 58type = "eql"
 59
 60query = '''
 61sequence by host.id with maxspan=10s
 62 [process where host.os.type == "macos" and event.type in ("start", "process_started") and event.action == "exec" and process.name == "osascript" and process.args == "-e"] by process.entity_id
 63 [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("sh", "bash", "zsh") and process.args == "-c" and process.command_line : ("*curl*", "*pbpaste*", "*http*", "*chmod*", "*nscurl*")] by process.parent.entity_id
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Shell Execution via Apple Scripting
 71
 72AppleScript and JXA are scripting languages used in macOS to automate tasks and control applications. Adversaries exploit these by executing shell commands through functions like `doShellScript`, enabling unauthorized actions such as data exfiltration or system modification. The detection rule identifies suspicious shell processes initiated by AppleScript, focusing on specific command patterns and rapid sequence execution, indicating potential misuse.
 73
 74### Possible investigation steps
 75
 76- Review the alert details to identify the specific host.id and process.entity_id involved in the suspicious activity.
 77- Examine the process arguments for osascript to determine the exact AppleScript command executed, focusing on the presence of the "-e" flag which indicates script execution.
 78- Investigate the parent process of the shell (sh, bash, zsh) to understand the context in which the shell command was executed, using process.parent.entity_id for correlation.
 79- Analyze the shell command arguments, particularly looking for potentially malicious patterns such as "*curl*", "*pbcopy*", "*http*", or "*chmod*", which may indicate data exfiltration or system modification attempts.
 80- Check the sequence and timing of the processes to assess if the execution pattern aligns with typical user behavior or if it suggests automated or rapid execution indicative of a script.
 81- Correlate the findings with any other security alerts or logs from the same host to identify if this activity is part of a broader attack or isolated incident.
 82- If necessary, escalate the investigation by capturing additional forensic data from the affected host, such as network traffic or file system changes, to further understand the impact and scope of the activity.
 83
 84### False positive analysis
 85
 86- Routine administrative scripts may trigger the rule if they use AppleScript or JXA to automate tasks involving shell commands. To manage this, identify and whitelist these scripts by their specific command patterns or execution context.
 87- Software updates or legitimate application installations might execute shell commands through AppleScript, appearing suspicious. Monitor and document these activities, and create exceptions for known update processes.
 88- Development tools and environments that rely on scripting for building or testing applications can generate false positives. Exclude these processes by verifying their source and ensuring they align with expected development activities.
 89- User-initiated automation tasks, such as custom scripts for personal productivity, may be flagged. Educate users on safe scripting practices and establish a process for reviewing and approving such scripts to prevent unnecessary alerts.
 90
 91### Response and remediation
 92
 93- Immediately isolate the affected macOS host from the network to prevent further unauthorized access or data exfiltration.
 94- Terminate any suspicious shell processes identified by the detection rule, specifically those initiated by `osascript` executing shell commands.
 95- Conduct a thorough review of the affected system's logs and process history to identify any additional unauthorized activities or persistence mechanisms.
 96- Remove any unauthorized scripts or files that were executed or created as part of the malicious activity.
 97- Reset credentials and review permissions for any accounts that may have been compromised or used in the attack.
 98- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 99- Implement enhanced monitoring and alerting for similar patterns of behavior, focusing on the use of `osascript` and shell command execution, to prevent recurrence."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1059"
106name = "Command and Scripting Interpreter"
107reference = "https://attack.mitre.org/techniques/T1059/"
108
109
110[rule.threat.tactic]
111id = "TA0002"
112name = "Execution"
113reference = "https://attack.mitre.org/tactics/TA0002/"