Osacompile Execution By Potentially Suspicious Applet/Osascript
Detects potential suspicious applet or osascript executing "osacompile".
Sigma rule (View on GitHub)
1title: Osacompile Execution By Potentially Suspicious Applet/Osascript
2id: a753a6af-3126-426d-8bd0-26ebbcb92254
3status: test
4description: Detects potential suspicious applet or osascript executing "osacompile".
5references:
6 - https://redcanary.com/blog/mac-application-bundles/
7author: Sohan G (D4rkCiph3r), Red Canary (Idea)
8date: 2023-04-03
9tags:
10 - attack.execution
11 - attack.t1059.002
12logsource:
13 category: process_creation
14 product: macos
15detection:
16 selection:
17 ParentImage|endswith:
18 - '/applet'
19 - '/osascript'
20 CommandLine|contains: 'osacompile'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
Adversaries commonly manipulate application bundles to subvert security controls, elevate privileges, and install malware on macOS devices.
Read More
Related rules
- Clipboard Data Collection Via OSAScript
- JXA In-memory Execution Via OSAScript
- MacOS Scripting Interpreter AppleScript
- OSACompile Run-Only Execution
- Suspicious Execution via macOS Script Editor