security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Shell Execution via Apple Scripting (#687)

Browse Source 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Samirbous
2020-12-08 11:45:39 +01:00
committed by GitHub
parent 3f8a7573f7
commit b8243f3739
1 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/execution_shell_execution_via_apple_scripting.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2020/12/07"
maturity = "production"
updated_date = "2020/12/07"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use
the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Shell Execution via Apple Scripting"
references = [
"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
]
risk_score = 47
rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
[process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.ppid
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"