From aa3fa9b7e4089f0d6927a73b8a3a85a9b8ee006e Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Tue, 31 Jan 2023 16:06:39 +0530 Subject: [PATCH 1/8] Create proc_creation_macos_jxa_in-memory_execution.yml --- ...creation_macos_jxa_in-memory_execution.yml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml new file mode 100644 index 000000000..d200a5473 --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml @@ -0,0 +1,44 @@ +title: JXA in-memory execution +id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 +description: Detects possible malicious execution of JXA in-memory via OSAScript +date: 2023/01/31 +author: Sohan G (D4rkCiph3r) +status: stable +references: +- https://redcanary.com/blog/applescript/ +logsource: + product: macos + category: process_creation +detection: + selection1: #Different possible processes + Image|contains: + - '/osascript' + - '/sh' + - '/zsh' + - '/bash' + - '/curl' + selection2: + CommandLine|contains: + - 'osascript' + selection3: + CommandLine|contains|all: + - '-l' + - 'JavaScript' + selection4: + CommandLine|contains: '.js' + selection 5: + CommandLine|contains|all: + - '-e' + - 'eval' + - 'NSData.dataWithContentsOfURL' + condition: selection1 AND (selection2 AND (selection3 OR selection4) AND selection5) +fields: +- Image +- CommandLine +falsepositives: +- Unknown +level: medium +tags: +- attack.t1059.002 +- attack.t1059.007 +- attack.execution From 87879f69cfdfa1e759c69cda797c8dfd4c8bb2dd Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Tue, 31 Jan 2023 16:52:17 +0530 Subject: [PATCH 2/8] Update proc_creation_macos_jxa_in-memory_execution.yml Indentation corrections and comments --- ...creation_macos_jxa_in-memory_execution.yml | 69 ++++++++++--------- 1 file changed, 36 insertions(+), 33 deletions(-) diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml index d200a5473..b1179c9ad 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml @@ -3,42 +3,45 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 description: Detects possible malicious execution of JXA in-memory via OSAScript date: 2023/01/31 author: Sohan G (D4rkCiph3r) -status: stable +status: experimental references: -- https://redcanary.com/blog/applescript/ + - https://redcanary.com/blog/applescript/ logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: #Different possible processes - Image|contains: - - '/osascript' - - '/sh' - - '/zsh' - - '/bash' - - '/curl' - selection2: - CommandLine|contains: - - 'osascript' - selection3: - CommandLine|contains|all: - - '-l' - - 'JavaScript' - selection4: - CommandLine|contains: '.js' - selection 5: - CommandLine|contains|all: - - '-e' - - 'eval' - - 'NSData.dataWithContentsOfURL' - condition: selection1 AND (selection2 AND (selection3 OR selection4) AND selection5) +''' + selection1: #Different possible processes + Image|endswith: + - '/osascript' + - '/sh' + - '/zsh' + - '/bash' + - '/curl' + - '/python' +''' + selection2: + CommandLine|contains: + - 'osascript' + selection3: + CommandLine|contains|all: + - '-l' + - 'JavaScript' + selection4: + CommandLine|contains: '.js' + selection 5: + CommandLine|contains|all: + - '-e' + - 'eval' + - 'NSData.dataWithContentsOfURL' + condition: '''selection1 and '''(selection2 and (selection3 or selection4) and selection5) fields: -- Image -- CommandLine +# - Image + - CommandLine falsepositives: -- Unknown -level: medium + - Unknown +level: high tags: -- attack.t1059.002 -- attack.t1059.007 -- attack.execution + - attack.t1059.002 + - attack.t1059.007 + - attack.execution From f67072fddc0739dca535096bdcf1601a5a51a926 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Tue, 31 Jan 2023 16:54:29 +0530 Subject: [PATCH 3/8] Update proc_creation_macos_jxa_in-memory_execution.yml --- ...creation_macos_jxa_in-memory_execution.yml | 21 +++++-------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml index b1179c9ad..507d8973e 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml @@ -10,33 +10,22 @@ logsource: product: macos category: process_creation detection: -''' - selection1: #Different possible processes - Image|endswith: - - '/osascript' - - '/sh' - - '/zsh' - - '/bash' - - '/curl' - - '/python' -''' - selection2: + selection1: CommandLine|contains: - 'osascript' - selection3: + selection2: CommandLine|contains|all: - '-l' - 'JavaScript' - selection4: + selection3: CommandLine|contains: '.js' - selection 5: + selection4: CommandLine|contains|all: - '-e' - 'eval' - 'NSData.dataWithContentsOfURL' - condition: '''selection1 and '''(selection2 and (selection3 or selection4) and selection5) + condition: selection1 and (selection2 or selection3) and selection4 fields: -# - Image - CommandLine falsepositives: - Unknown From eb26d94c140c1197a207674b7baac33e271b12b5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 31 Jan 2023 12:42:20 +0100 Subject: [PATCH 4/8] fix: order fields and optimize selection --- ...creation_macos_jxa_in-memory_execution.yml | 58 +++++++++---------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml index 507d8973e..278eb9012 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml @@ -1,36 +1,36 @@ -title: JXA in-memory execution +title: JXA In-memory Execution Via OSAScript id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 +related: + - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 + type: derived +status: experimental description: Detects possible malicious execution of JXA in-memory via OSAScript -date: 2023/01/31 -author: Sohan G (D4rkCiph3r) -status: experimental references: - https://redcanary.com/blog/applescript/ -logsource: - product: macos - category: process_creation -detection: - selection1: - CommandLine|contains: - - 'osascript' - selection2: - CommandLine|contains|all: - - '-l' - - 'JavaScript' - selection3: - CommandLine|contains: '.js' - selection4: - CommandLine|contains|all: - - '-e' - - 'eval' - - 'NSData.dataWithContentsOfURL' - condition: selection1 and (selection2 or selection3) and selection4 -fields: - - CommandLine -falsepositives: - - Unknown -level: high -tags: +author: Sohan G (D4rkCiph3r) +date: 2023/01/31 +tags: - attack.t1059.002 - attack.t1059.007 - attack.execution +logsource: + product: macos + category: process_creation +detection: + selection_main: + CommandLine|contains|all: + - 'osascript' + - ' -e ' + - 'eval' + - 'NSData.dataWithContentsOfURL' + selection_js: + - CommandLine|contains|all: + - ' -l ' + - 'JavaScript' + - CommandLine|contains: '.js' + condition: all of selection_* +fields: + - CommandLine +falsepositives: + - Unknown +level: high From 4006145b8d755fedd4f14a35f7c2a4991783abb0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 31 Jan 2023 12:53:04 +0100 Subject: [PATCH 5/8] fix: filename --- ...cution.yml => proc_creation_macos_jxa_in_memory_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/macos/process_creation/{proc_creation_macos_jxa_in-memory_execution.yml => proc_creation_macos_jxa_in_memory_execution.yml} (100%) diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml similarity index 100% rename from rules/macos/process_creation/proc_creation_macos_jxa_in-memory_execution.yml rename to rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml From 98250cba9c85998ddb1e2ab0dbdac374415afc3a Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:23:24 +0530 Subject: [PATCH 6/8] Create proc_creation_macos_jxa_payoad_execution.yml --- ...oc_creation_macos_jxa_payoad_execution.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml new file mode 100644 index 000000000..5ab6147ec --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml @@ -0,0 +1,26 @@ +title: JXA Payload Execution via OSAScript +id: f0496233-6b00-430a-944b-5029006a796e +description: Detects malicious JXA payload executions via OSAScript +date: 2023/01/31 +author: Sohan G (D4rkCiph3r) +status: experimental +references: + - https://redcanary.com/blog/applescript/ +logsource: + product: macos + category: process_creation +detection: + selection: + CommandLine|contains|all: + - 'osascript' + - '.js' + condition: selection +fields: + - CommandLine +falsepositives: + - Few applications might contain scripts +level: medium +tags: + - attack.t1059.002 + - attack.t1059.007 + - attack.execution From 21ac747d363e150d7862538238ab0094393488ad Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Tue, 31 Jan 2023 17:35:27 +0530 Subject: [PATCH 7/8] Update proc_creation_macos_jxa_payoad_execution.yml updated the formats wrt fields structuring --- ...oc_creation_macos_jxa_payoad_execution.yml | 37 ++++++++++--------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml index 5ab6147ec..fa998b05f 100644 --- a/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml +++ b/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml @@ -1,26 +1,29 @@ -title: JXA Payload Execution via OSAScript +title: JXA In-memory Execution Via OSAScript id: f0496233-6b00-430a-944b-5029006a796e -description: Detects malicious JXA payload executions via OSAScript -date: 2023/01/31 -author: Sohan G (D4rkCiph3r) -status: experimental +related: + - id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 + type: derived +status: experimental +description: Detects possible malicious execution of JXA in-memory via OSAScript references: - https://redcanary.com/blog/applescript/ -logsource: - product: macos - category: process_creation +author: Sohan G (D4rkCiph3r) +date: 2023/01/31 +tags: + - attack.t1059.002 + - attack.t1059.007 + - attack.execution +logsource: + product: macos + category: process_creation detection: selection: CommandLine|contains|all: - 'osascript' - '.js' condition: selection -fields: - - CommandLine -falsepositives: - - Few applications might contain scripts -level: medium -tags: - - attack.t1059.002 - - attack.t1059.007 - - attack.execution +fields: + - CommandLine +falsepositives: + - Unknown +level: medium From 9ad58353a76ab97be459bd9371a67cd3e814c3d1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 1 Feb 2023 18:30:45 +0100 Subject: [PATCH 8/8] Update from review --- .../proc_creation_macos_applescript.yml | 3 +- ...oc_creation_macos_jxa_payoad_execution.yml | 29 ------------------- 2 files changed, 2 insertions(+), 30 deletions(-) delete mode 100644 rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index 49c494112..a12eeeaa6 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -7,7 +7,7 @@ references: - https://redcanary.com/blog/applescript/ author: Alejandro Ortuno, oscd.community date: 2020/10/21 -modified: 2023/01/31 +modified: 2023/02/01 tags: - attack.execution - attack.t1059.002 @@ -20,6 +20,7 @@ detection: CommandLine|contains: - ' -e ' - '.scpt' + - '.js' condition: selection falsepositives: - Application installers might contain scripts as part of the installation process. diff --git a/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml b/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml deleted file mode 100644 index fa998b05f..000000000 --- a/rules/macos/process_creation/proc_creation_macos_jxa_payoad_execution.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: JXA In-memory Execution Via OSAScript -id: f0496233-6b00-430a-944b-5029006a796e -related: - - id: f1408a58-0e94-4165-b80a-da9f96cf6fc3 - type: derived -status: experimental -description: Detects possible malicious execution of JXA in-memory via OSAScript -references: - - https://redcanary.com/blog/applescript/ -author: Sohan G (D4rkCiph3r) -date: 2023/01/31 -tags: - - attack.t1059.002 - - attack.t1059.007 - - attack.execution -logsource: - product: macos - category: process_creation -detection: - selection: - CommandLine|contains|all: - - 'osascript' - - '.js' - condition: selection -fields: - - CommandLine -falsepositives: - - Unknown -level: medium