From 5d1130262f64bea988cccd9e712ff3a98e46cb7a Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Mon, 3 Apr 2023 15:57:17 +0530
Subject: [PATCH] feat: new rule
 `proc_creation_macos_suspicious_applet_behaviour.yml` (#4126)

---
 ...tion_macos_suspicious_applet_behaviour.yml | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml

diff --git a/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml
new file mode 100644
index 000000000..3b5164f6e
--- /dev/null
+++ b/rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml
@@ -0,0 +1,24 @@
+title: Osacompile Execution By Potentially Suspicious Applet/Osascript
+id: a753a6af-3126-426d-8bd0-26ebbcb92254
+status: experimental
+description: Detects potential suspicious applet or osascript executing "osacompile".
+references:
+    - https://redcanary.com/blog/mac-application-bundles/
+author: Sohan G (D4rkCiph3r), Red Canary (Idea)
+date: 2023/04/03
+tags:
+    - attack.execution
+    - attack.t1059.002
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection:
+        ParentImage|endswith:
+            - '/applet'
+            - '/osascript'
+        CommandLine|contains: 'osacompile'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium