Apple Scripting Execution with Administrator Privileges
Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/27"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator
11privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Apple Scripting Execution with Administrator Privileges"
18references = ["https://discussions.apple.com/thread/2266150"]
19risk_score = 47
20rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b"
21setup = """## Setup
22
23This rule requires data coming in from Elastic Defend.
24
25### Elastic Defend Integration Setup
26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
27
28#### Prerequisite Requirements:
29- Fleet is required for Elastic Defend.
30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
31
32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
33- Go to the Kibana home page and click "Add integrations".
34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
35- Click "Add Elastic Defend".
36- Configure the integration name and optionally add a description.
37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
42- Click "Save and Continue".
43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
45"""
46severity = "medium"
47tags = [
48 "Domain: Endpoint",
49 "OS: macOS",
50 "Use Case: Threat Detection",
51 "Tactic: Execution",
52 "Tactic: Privilege Escalation",
53 "Data Source: Elastic Defend",
54 "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "eql"
58
59query = '''
60process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and
61 process.command_line : "osascript*with administrator privileges" and
62 not process.parent.name : "Electron" and
63 not process.Ext.effective_parent.executable : ("/Applications/Visual Studio Code.app/Contents/MacOS/Electron",
64 "/Applications/OpenVPN Connect/Uninstall OpenVPN Connect.app/Contents/MacOS/uninstaller")
65'''
66note = """## Triage and analysis
67
68> **Disclaimer**:
69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
70
71### Investigating Apple Scripting Execution with Administrator Privileges
72
73AppleScript, a scripting language for macOS, automates tasks by controlling applications and system functions. Adversaries may exploit it to execute scripts with elevated privileges, bypassing password prompts, to gain unauthorized access or escalate privileges. The detection rule identifies such misuse by monitoring the execution of AppleScript with admin rights, excluding benign parent processes like Electron, to flag potential threats.
74
75### Possible investigation steps
76
77- Review the process details to confirm the execution of 'osascript' with administrator privileges, focusing on the command line arguments to understand the script's intent.
78- Investigate the parent process of 'osascript' to determine if it is a known and trusted application, ensuring it is not 'Electron' or any other excluded parent processes.
79- Check the user account associated with the 'osascript' execution to verify if it is a legitimate account and assess if there are any signs of compromise or unauthorized access.
80- Analyze recent system logs and user activity to identify any unusual behavior or patterns that coincide with the time of the alert.
81- Correlate this event with other security alerts or incidents to determine if it is part of a broader attack or isolated incident.
82
83### False positive analysis
84
85- Known false positives may arise from legitimate applications that use AppleScript with administrator privileges for valid operations, such as software installers or system management tools.
86- Exclude processes with benign parent applications like Electron, as specified in the rule, to reduce false positives from common development environments.
87- Consider adding exceptions for other trusted applications that frequently use AppleScript with elevated privileges, ensuring they are verified and necessary for business operations.
88- Regularly review and update the list of excluded applications to adapt to changes in software usage and maintain effective threat detection.
89- Monitor the frequency and context of alerts to identify patterns that may indicate false positives, adjusting the detection rule as needed to minimize unnecessary alerts.
90
91### Response and remediation
92
93- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
94- Terminate any suspicious osascript processes running with administrator privileges that were not initiated by known, legitimate applications.
95- Review system logs and process execution history to identify any unauthorized changes or access that occurred during the incident.
96- Revoke any compromised credentials or accounts that may have been used to execute the AppleScript with elevated privileges.
97- Restore the system to a known good state from a backup taken before the unauthorized script execution, if necessary.
98- Implement application whitelisting to prevent unauthorized scripts from executing with elevated privileges in the future.
99- Escalate the incident to the security operations team for further investigation and to assess the need for additional security controls or monitoring enhancements."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1078"
106name = "Valid Accounts"
107reference = "https://attack.mitre.org/techniques/T1078/"
108
109
110[rule.threat.tactic]
111id = "TA0004"
112name = "Privilege Escalation"
113reference = "https://attack.mitre.org/tactics/TA0004/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1059"
118name = "Command and Scripting Interpreter"
119reference = "https://attack.mitre.org/techniques/T1059/"
120
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Apple Scripting Execution with Administrator Privileges
AppleScript, a scripting language for macOS, automates tasks by controlling applications and system functions. Adversaries may exploit it to execute scripts with elevated privileges, bypassing password prompts, to gain unauthorized access or escalate privileges. The detection rule identifies such misuse by monitoring the execution of AppleScript with admin rights, excluding benign parent processes like Electron, to flag potential threats.
Possible investigation steps
- Review the process details to confirm the execution of 'osascript' with administrator privileges, focusing on the command line arguments to understand the script's intent.
- Investigate the parent process of 'osascript' to determine if it is a known and trusted application, ensuring it is not 'Electron' or any other excluded parent processes.
- Check the user account associated with the 'osascript' execution to verify if it is a legitimate account and assess if there are any signs of compromise or unauthorized access.
- Analyze recent system logs and user activity to identify any unusual behavior or patterns that coincide with the time of the alert.
- Correlate this event with other security alerts or incidents to determine if it is part of a broader attack or isolated incident.
False positive analysis
- Known false positives may arise from legitimate applications that use AppleScript with administrator privileges for valid operations, such as software installers or system management tools.
- Exclude processes with benign parent applications like Electron, as specified in the rule, to reduce false positives from common development environments.
- Consider adding exceptions for other trusted applications that frequently use AppleScript with elevated privileges, ensuring they are verified and necessary for business operations.
- Regularly review and update the list of excluded applications to adapt to changes in software usage and maintain effective threat detection.
- Monitor the frequency and context of alerts to identify patterns that may indicate false positives, adjusting the detection rule as needed to minimize unnecessary alerts.
Response and remediation
- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious osascript processes running with administrator privileges that were not initiated by known, legitimate applications.
- Review system logs and process execution history to identify any unauthorized changes or access that occurred during the incident.
- Revoke any compromised credentials or accounts that may have been used to execute the AppleScript with elevated privileges.
- Restore the system to a known good state from a backup taken before the unauthorized script execution, if necessary.
- Implement application whitelisting to prevent unauthorized scripts from executing with elevated privileges in the future.
- Escalate the incident to the security operations team for further investigation and to assess the need for additional security controls or monitoring enhancements.
References
Related rules
- Execution with Explicit Credentials via Scripting
- AWS SSM `SendCommand` with Run Shell Command Parameters
- Apple Script Execution followed by Network Connection
- At Job Created or Modified
- Creation of Hidden Login Item via Apple Script