Suspicious Execution via macOS Script Editor

calendar Nov 2, 2023 · attack.t1566 attack.t1566.002 attack.initial_access attack.t1059 attack.t1059.002 attack.t1204 attack.t1204.001 attack.execution attack.persistence attack.t1553 attack.defense_evasion  ·
Share on: linkedin copy

Detects when the macOS Script Editor utility spawns an unusual child process.

Sigma rule (View on GitHub)

 1title: Suspicious Execution via macOS Script Editor
 2id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
 3status: test
 4description: Detects when the macOS Script Editor utility spawns an unusual child process.
 5author: Tim Rauch (rule), Elastic (idea)
 6references:
 7    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
 8    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
 9date: 2022/10/21
10modified: 2022/12/28
11logsource:
12    category: process_creation
13    product: macos
14tags:
15    - attack.t1566
16    - attack.t1566.002
17    - attack.initial_access
18    - attack.t1059
19    - attack.t1059.002
20    - attack.t1204
21    - attack.t1204.001
22    - attack.execution
23    - attack.persistence
24    - attack.t1553
25    - attack.defense_evasion
26detection:
27    selection_parent:
28        ParentImage|endswith: '/Script Editor'
29    selection_img:
30        - Image|endswith:
31              - '/curl'
32              - '/bash'
33              - '/sh'
34              - '/zsh'
35              - '/dash'
36              - '/fish'
37              - '/osascript'
38              - '/mktemp'
39              - '/chmod'
40              - '/php'
41              - '/nohup'
42              - '/openssl'
43              - '/plutil'
44              - '/PlistBuddy'
45              - '/xattr'
46              - '/sqlite'
47              - '/funzip'
48              - '/popen'
49        - Image|contains:
50              - 'python'
51              - 'perl'
52    condition: all of selection_*
53falsepositives:
54    - Unknown
55level: medium

References

  • Updating artifacts · elastic/protections-artifacts@7460867

    Elastic Security detection content for Endpoint. Contribute to elastic/protections-artifacts development by creating an account on GitHub.


    Read More

  • macOS Red Teaming: Initial access via AppleScript URL

    macOS Red Teaming Tricks series The idea of #macOSRedTeamingTricks series is to share simple & ready-to-use tricks that may help you during macOS red teaming engagements. The trick This post is about a funny trick that may help you in achieving initial access on a macOS machine. It requires performing advanced phishing but the code execution with built-in TCC bypass is extremely powerful. Let’s go to the point. The Script Editor (/System/Applications/Utilities/Script Editor.


    Read More

Related rules

to-top