OSACompile Run-Only Execution

 1title: OSACompile Run-Only Execution
 2id: b9d9b652-d8ed-4697-89a2-a1186ee680ac
 3status: test
 4description: Detects potential suspicious run-only executions compiled using OSACompile
 5references:
 6    - https://redcanary.com/blog/applescript/
 7    - https://ss64.com/osx/osacompile.html
 8author: Sohan G (D4rkCiph3r)
 9date: 2023/01/31
10tags:
11    - attack.t1059.002
12    - attack.execution
13logsource:
14    product: macos
15    category: process_creation
16detection:
17    selection:
18        CommandLine|contains|all:
19            - 'osacompile'
20            - ' -x '
21            - ' -e '
22    condition: selection
23fields:
24    - CommandLine
25falsepositives:
26    - Unknown
27level: high

References

• Going off script: Thwarting OSA, AppleScript, and JXA abuse

  

  Experts from Red Canary, Jamf, and MITRE ATT&CK opine on ways to detect and prevent manipulation of macOS’s scripting architecture.

  
  Read More

• osacompile Man Page - macOS - SS64.com

  osacompile Compile AppleScripts and other OSA language scripts. Syntax osacompile [-l language] [-e command] [-o name] [-d] [-r type:id] [-t type] [-c creator] [-x] [-s] [-u] [-a arch] [file ...] E...

  
  Read More

Related rules

• Clipboard Data Collection Via OSAScript
• JXA In-memory Execution Via OSAScript
• Suspicious Microsoft Office Child Process - MacOS
• Suspicious Execution via macOS Script Editor
• MacOS Scripting Interpreter AppleScript