rules/macos/execution_shell_execution_via_apple_scripting.toml

[metadata]
creation_date = "2020/12/07"
maturity = "production"
updated_date = "2021/06/22"

[rule]
author = ["Elastic"]
description = """
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Shell Execution via Apple Scripting"
references = [
    "https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
    "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
]
risk_score = 47
rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
type = "eql"

query = '''
sequence by host.id with maxspan=5s
 [process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
 [process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Shell Execution via Apple Scripting (#687 ) 2020-12-08 11:45:39 +01:00			`[metadata]`
			`creation_date = "2020/12/07"`
			`maturity = "production"`
Switch from process.ppid to process.parent.pid (#1255 ) 2021-06-22 09:10:28 -06:00			`updated_date = "2021/06/22"`
[New Rule] Shell Execution via Apple Scripting (#687 ) 2020-12-08 11:45:39 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the`
			`doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.`
[New Rule] Shell Execution via Apple Scripting (#687 ) 2020-12-08 11:45:39 +01:00			`"""`
			`from = "now-9m"`
			`index = ["auditbeat-", "logs-endpoint.events."]`
			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[New Rule] Shell Execution via Apple Scripting (#687 ) 2020-12-08 11:45:39 +01:00			`name = "Shell Execution via Apple Scripting"`
			`references = [`
			`"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",`
			`"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",`
			`]`
			`risk_score = 47`
			`rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"`
			`severity = "medium"`
			`tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]`
			`type = "eql"`

			`query = '''`
			`sequence by host.id with maxspan=5s`
			`[process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid`
Switch from process.ppid to process.parent.pid (#1255 ) 2021-06-22 09:10:28 -06:00			`[process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid`
[New Rule] Shell Execution via Apple Scripting (#687 ) 2020-12-08 11:45:39 +01:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00