diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml index d200a5473..b1179c9ad 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml @@ -3,42 +3,45 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 description: Detects possible malicious execution of JXA in-memory via OSAScript date: 2023/01/31 author: Sohan G (D4rkCiph3r) -status: stable +status: experimental references: -- https://redcanary.com/blog/applescript/ + - https://redcanary.com/blog/applescript/ logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: #Different possible processes - Image|contains: - - '/osascript' - - '/sh' - - '/zsh' - - '/bash' - - '/curl' - selection2: - CommandLine|contains: - - 'osascript' - selection3: - CommandLine|contains|all: - - '-l' - - 'JavaScript' - selection4: - CommandLine|contains: '.js' - selection 5: - CommandLine|contains|all: - - '-e' - - 'eval' - - 'NSData.dataWithContentsOfURL' - condition: selection1 AND (selection2 AND (selection3 OR selection4) AND selection5) +''' + selection1: #Different possible processes + Image|endswith: + - '/osascript' + - '/sh' + - '/zsh' + - '/bash' + - '/curl' + - '/python' +''' + selection2: + CommandLine|contains: + - 'osascript' + selection3: + CommandLine|contains|all: + - '-l' + - 'JavaScript' + selection4: + CommandLine|contains: '.js' + selection 5: + CommandLine|contains|all: + - '-e' + - 'eval' + - 'NSData.dataWithContentsOfURL' + condition: '''selection1 and '''(selection2 and (selection3 or selection4) and selection5) fields: -- Image -- CommandLine +# - Image + - CommandLine falsepositives: -- Unknown -level: medium + - Unknown +level: high tags: -- attack.t1059.002 -- attack.t1059.007 -- attack.execution + - attack.t1059.002 + - attack.t1059.007 + - attack.execution