diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index 49c494112..a12eeeaa6 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -7,7 +7,7 @@ references: - https://redcanary.com/blog/applescript/ author: Alejandro Ortuno, oscd.community date: 2020/10/21 -modified: 2023/01/31 +modified: 2023/02/01 tags: - attack.execution - attack.t1059.002 @@ -20,6 +20,7 @@ detection: CommandLine|contains: - ' -e ' - '.scpt' + - '.js' condition: selection falsepositives: - Application installers might contain scripts as part of the installation process. diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml new file mode 100644 index 000000000..278eb9012 --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml @@ -0,0 +1,36 @@ +title: JXA In-memory Execution Via OSAScript +id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 +related: + - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 + type: derived +status: experimental +description: Detects possible malicious execution of JXA in-memory via OSAScript +references: + - https://redcanary.com/blog/applescript/ +author: Sohan G (D4rkCiph3r) +date: 2023/01/31 +tags: + - attack.t1059.002 + - attack.t1059.007 + - attack.execution +logsource: + product: macos + category: process_creation +detection: + selection_main: + CommandLine|contains|all: + - 'osascript' + - ' -e ' + - 'eval' + - 'NSData.dataWithContentsOfURL' + selection_js: + - CommandLine|contains|all: + - ' -l ' + - 'JavaScript' + - CommandLine|contains: '.js' + condition: all of selection_* +fields: + - CommandLine +falsepositives: + - Unknown +level: high