Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
Sigma rule (View on GitHub)
1title: Clipboard Data Collection Via OSAScript
2id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
3related:
4 - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
5 type: derived
6status: test
7description: Detects possible collection of data from the clipboard via execution of the osascript binary
8references:
9 - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
10author: Sohan G (D4rkCiph3r)
11date: 2023/01/31
12tags:
13 - attack.collection
14 - attack.execution
15 - attack.t1115
16 - attack.t1059.002
17logsource:
18 product: macos
19 category: process_creation
20detection:
21 selection:
22 CommandLine|contains|all:
23 - 'osascript'
24 - ' -e '
25 - 'clipboard'
26 condition: selection
27fields:
28 - CommandLine
29falsepositives:
30 - Unlikely
31level: high
References
-
AppleScript is widely used by threat actors and yet widely ignored by security researchers. Here's the SentinelOne guide to AppleScript.
Read More
Related rules
- JXA In-memory Execution Via OSAScript
- OSACompile Run-Only Execution
- Suspicious Microsoft Office Child Process - MacOS
- PowerShell Get Clipboard
- Suspicious Execution via macOS Script Editor