JXA In-memory Execution Via OSAScript

Dec 1, 2023 · attack.t1059.002 attack.t1059.007 attack.execution ·

Detects possible malicious execution of JXA in-memory via OSAScript

Sigma rule (View on GitHub)

 1title: JXA In-memory Execution Via OSAScript
 2id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
 3related:
 4    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
 5      type: derived
 6status: test
 7description: Detects possible malicious execution of JXA in-memory via OSAScript
 8references:
 9    - https://redcanary.com/blog/applescript/
10author: Sohan G (D4rkCiph3r)
11date: 2023/01/31
12tags:
13    - attack.t1059.002
14    - attack.t1059.007
15    - attack.execution
16logsource:
17    product: macos
18    category: process_creation
19detection:
20    selection_main:
21        CommandLine|contains|all:
22            - 'osascript'
23            - ' -e '
24            - 'eval'
25            - 'NSData.dataWithContentsOfURL'
26    selection_js:
27        - CommandLine|contains|all:
28              - ' -l '
29              - 'JavaScript'
30        - CommandLine|contains: '.js'
31    condition: all of selection_*
32fields:
33    - CommandLine
34falsepositives:
35    - Unknown
36level: high

References

Going off script: Thwarting OSA, AppleScript, and JXA abuse

Experts from Red Canary, Jamf, and MITRE ATT&CK opine on ways to detect and prevent manipulation of macOS’s scripting architecture.

Read More

JXA In-memory Execution Via OSAScript

Sigma rule (View on GitHub)

References

Going off script: Thwarting OSA, AppleScript, and JXA abuse

Related rules