Shell Execution via Apple Scripting
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/07"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
13doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Shell Execution via Apple Scripting"
20references = [
21 "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
22 "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
23]
24risk_score = 47
25rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
28type = "eql"
29
30query = '''
31sequence by host.id with maxspan=5s
32 [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
33 [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1059"
41name = "Command and Scripting Interpreter"
42reference = "https://attack.mitre.org/techniques/T1059/"
43
44
45[rule.threat.tactic]
46id = "TA0002"
47name = "Execution"
48reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Apple Script Execution followed by Network Connection
- Apple Scripting Execution with Administrator Privileges
- Creation of Hidden Login Item via Apple Script
- EggShell Backdoor Execution
- Execution via Electron Child Process Node.js Module