From 44ae72d054bbe581a70eff6626ecfb2e06ebacf8 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 22 Jul 2022 16:50:45 -0400 Subject: [PATCH] [Rule Tuning] Suspicious Automator Workflows Execution (#2142) * add subtechnique Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...tion_scripting_osascript_exec_followed_by_netcon.toml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 626651d96..64d39eea8 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/05/26" +updated_date = "2022/07/21" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "Apple Script Execution followed by Network Connection" references = [ "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", - "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml" + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", ] risk_score = 47 rule_id = "47f76567-d58a-4fed-b32b-21f571e28910" @@ -42,6 +42,11 @@ framework = "MITRE ATT&CK" id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.002" +name = "AppleScript" +reference = "https://attack.mitre.org/techniques/T1059/002/" + [rule.threat.tactic]