From 87879f69cfdfa1e759c69cda797c8dfd4c8bb2dd Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Tue, 31 Jan 2023 16:52:17 +0530
Subject: [PATCH] Update proc_creation_macos_jxa_in-memory_execution.yml

Indentation corrections and comments
---
 ...creation_macos_jxa_in-memory_execution.yml | 69 ++++++++++---------
 1 file changed, 36 insertions(+), 33 deletions(-)

diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml
index d200a5473..b1179c9ad 100644
--- a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml
+++ b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml
@@ -3,42 +3,45 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
 description: Detects possible malicious execution of JXA in-memory via OSAScript
 date: 2023/01/31
 author: Sohan G (D4rkCiph3r)
-status: stable 
+status: experimental 
 references:
-- https://redcanary.com/blog/applescript/
+    - https://redcanary.com/blog/applescript/
 logsource: 
-  product: macos 
-  category: process_creation 
+    product: macos 
+    category: process_creation 
 detection: 
-  selection1: #Different possible processes
-    Image|contains: 
-    - '/osascript' 
-    - '/sh'
-    - '/zsh'
-    - '/bash'
-    - '/curl'
-  selection2:
-    CommandLine|contains: 
-    - 'osascript'
-  selection3:
-    CommandLine|contains|all: 
-    - '-l'
-    - 'JavaScript'
-  selection4:
-    CommandLine|contains: '.js'
-  selection 5:
-    CommandLine|contains|all:
-    - '-e'
-    - 'eval'
-    - 'NSData.dataWithContentsOfURL'
-  condition: selection1 AND (selection2 AND (selection3 OR selection4) AND selection5)
+'''
+    selection1: #Different possible processes
+        Image|endswith: 
+        - '/osascript' 
+        - '/sh'
+        - '/zsh'
+        - '/bash'
+        - '/curl'
+        - '/python'
+'''
+    selection2:
+        CommandLine|contains: 
+        - 'osascript'
+    selection3:
+        CommandLine|contains|all: 
+        - '-l'
+        - 'JavaScript'
+    selection4:
+        CommandLine|contains: '.js'
+    selection 5:
+        CommandLine|contains|all:
+        - '-e'
+        - 'eval'
+        - 'NSData.dataWithContentsOfURL'
+    condition: '''selection1 and '''(selection2 and (selection3 or selection4) and selection5)
 fields: 
-- Image
-- CommandLine 
+#    - Image
+    - CommandLine 
 falsepositives: 
-- Unknown
-level: medium 
+    - Unknown
+level: high 
 tags:   
-- attack.t1059.002
-- attack.t1059.007
-- attack.execution
+    - attack.t1059.002
+    - attack.t1059.007
+    - attack.execution