Osacompile Execution By Potentially Suspicious Applet/Osascript

Detects potential suspicious applet or osascript executing "osacompile".

Sigma rule (View on GitHub)

 1title: Osacompile Execution By Potentially Suspicious Applet/Osascript
 2id: a753a6af-3126-426d-8bd0-26ebbcb92254
 3status: test
 4description: Detects potential suspicious applet or osascript executing "osacompile".
 5references:
 6    - https://redcanary.com/blog/mac-application-bundles/
 7author: Sohan G (D4rkCiph3r), Red Canary (Idea)
 8date: 2023-04-03
 9tags:
10    - attack.execution
11    - attack.t1059.002
12logsource:
13    category: process_creation
14    product: macos
15detection:
16    selection:
17        ParentImage|endswith:
18            - '/applet'
19            - '/osascript'
20        CommandLine|contains: 'osacompile'
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

Related rules

to-top