Mac AppleScript Input Prompt
Adversaries leverage AppleScript to try to steal the user’s login password. This analytic attempts to detect that activity via the first variation. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Mac AppleScript Input Prompt
2id: cff40f2b-46e9-49cc-8ba5-dde6403ab453
3status: experimental
4description: |
5 Adversaries leverage AppleScript to try to steal the user’s login password.
6 This analytic attempts to detect that activity via the first variation.
7 Part of the RedCanary 2024 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/applescript/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.execution
14 - attack.t1059
15 - attack.t1059.002
16logsource:
17 product: macos
18 category: process_creation
19detection:
20 selection:
21 CommandLine|contains|all:
22 - 'osascript'
23 - 'display dialog'
24 - 'password'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
Adversaries continue to abuse macOS’s native scripting interpreter, AppleScript, to automate malicious activity and call native APIs.
Read More
Related rules
- In-memory Downloading and Compiling of Applets as Payloads
- Bypassing Security Controls - Command Shell
- Obfuscated Commands - Command Shell
- Obfuscation and Escape Characters - Powershell
- PowerShell -encodedcommand Switch