Update proc_creation_macos_jxa_in-memory_execution.yml

Indentation corrections and comments
2023-01-31 16:52:17 +05:30
parent aa3fa9b7e4
commit 87879f69cf
1 changed files with 36 additions and 33 deletions
@@ -3,42 +3,45 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
 description: Detects possible malicious execution of JXA in-memory via OSAScript
 date: 2023/01/31
 author: Sohan G (D4rkCiph3r)
-status: stable 
+status: experimental 
 references:
- https://redcanary.com/blog/applescript/
+    - https://redcanary.com/blog/applescript/
 logsource: 
-  product: macos 
-  category: process_creation 
+    product: macos 
+    category: process_creation 
 detection: 
-  selection1: #Different possible processes
-    Image|contains: 
-    - '/osascript' 
-    - '/sh'
-    - '/zsh'
-    - '/bash'
-    - '/curl'
-  selection2:
-    CommandLine|contains: 
-    - 'osascript'
-  selection3:
-    CommandLine|contains|all: 
-    - '-l'
-    - 'JavaScript'
-  selection4:
-    CommandLine|contains: '.js'
-  selection 5:
-    CommandLine|contains|all:
-    - '-e'
-    - 'eval'
-    - 'NSData.dataWithContentsOfURL'
-  condition: selection1 AND (selection2 AND (selection3 OR selection4) AND selection5)
+'''
+    selection1: #Different possible processes
+        Image|endswith: 
+        - '/osascript' 
+        - '/sh'
+        - '/zsh'
+        - '/bash'
+        - '/curl'
+        - '/python'
+'''
+    selection2:
+        CommandLine|contains: 
+        - 'osascript'
+    selection3:
+        CommandLine|contains|all: 
+        - '-l'
+        - 'JavaScript'
+    selection4:
+        CommandLine|contains: '.js'
+    selection 5:
+        CommandLine|contains|all:
+        - '-e'
+        - 'eval'
+        - 'NSData.dataWithContentsOfURL'
+    condition: '''selection1 and '''(selection2 and (selection3 or selection4) and selection5)
 fields: 
- Image
- CommandLine 
+#    - Image
+    - CommandLine 
 falsepositives: 
- Unknown
-level: medium 
+    - Unknown
+level: high 
 tags:   
- attack.t1059.002
- attack.t1059.007
- attack.execution
+    - attack.t1059.002
+    - attack.t1059.007
+    - attack.execution