2022-09-08 12:50:39 -04:00
|
|
|
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
|
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
|
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
|
|
|
# 2.0.
|
|
|
|
|
|
|
|
|
|
from . import common
|
|
|
|
|
from . import RtaMetadata
|
|
|
|
|
from time import sleep
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
metadata = RtaMetadata(
|
|
|
|
|
uuid="9332cece-38b7-49e1-9f8d-e879913ffdfb",
|
|
|
|
|
platforms=["macos"],
|
|
|
|
|
endpoint=[
|
|
|
|
|
{"rule_name": "Download and Execution of JavaScript Payload", "rule_id": "871f0c30-a7c5-40a5-80e3-a50c6714632f"}
|
|
|
|
|
],
|
|
|
|
|
siem=[],
|
|
|
|
|
techniques=["T1059"],
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2023-10-03 10:47:58 -04:00
|
|
|
@common.requires_os(*metadata.platforms)
|
2022-09-08 12:50:39 -04:00
|
|
|
def main():
|
|
|
|
|
# Setup web server
|
|
|
|
|
common.serve_web()
|
|
|
|
|
|
|
|
|
|
common.log("Executing commands to download and execute JavaScript payload")
|
|
|
|
|
common.execute(["curl", "http://127.0.0.1:8000/payload.js"], shell=True)
|
|
|
|
|
sleep(1)
|
|
|
|
|
common.execute(["osascript", "-l", "JavaScript", "&"], shell=True)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
exit(main())
|
