Merge pull request #3989 from D4rkCiph3r/JXA_in-memory

Create proc_creation_macos_jxa_in-memory_execution.yml
2023-02-01 18:46:14 +01:00
parent 3d8b82805c 9ad58353a7
commit fb79c36372
2 changed files with 38 additions and 1 deletions
@@ -7,7 +7,7 @@ references:
    - https://redcanary.com/blog/applescript/
 author: Alejandro Ortuno, oscd.community
 date: 2020/10/21
-modified: 2023/01/31
+modified: 2023/02/01
 tags:
    - attack.execution
    - attack.t1059.002
@@ -20,6 +20,7 @@ detection:
        CommandLine|contains:
            - ' -e '
            - '.scpt'
+            - '.js'
    condition: selection
 falsepositives:
    - Application installers might contain scripts as part of the installation process.
@@ -0,0 +1,36 @@
+title: JXA In-memory Execution Via OSAScript
+id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
+related:
+    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
+      type: derived
+status: experimental
+description: Detects possible malicious execution of JXA in-memory via OSAScript
+references:
+    - https://redcanary.com/blog/applescript/
+author: Sohan G (D4rkCiph3r)
+date: 2023/01/31
+tags:
+    - attack.t1059.002
+    - attack.t1059.007
+    - attack.execution
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection_main:
+        CommandLine|contains|all:
+            - 'osascript'
+            - ' -e '
+            - 'eval'
+            - 'NSData.dataWithContentsOfURL'
+    selection_js:
+        - CommandLine|contains|all:
+            - ' -l '
+            - 'JavaScript'
+        - CommandLine|contains: '.js'
+    condition: all of selection_*
+fields:
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high