From b8243f3739f91cbad1be865d1226cceb08d6afd2 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 11:45:39 +0100 Subject: [PATCH] [New Rule] Shell Execution via Apple Scripting (#687) * [New Rule] Shell Execution via Apple Scripting * fixed description and relinted * added extra ref url * references url * Update rules/macos/execution_shell_execution_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_shell_execution_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_shell_execution_via_apple_scripting.toml Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...n_shell_execution_via_apple_scripting.toml | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 rules/macos/execution_shell_execution_via_apple_scripting.toml diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml new file mode 100644 index 000000000..6ab511048 --- /dev/null +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2020/12/07" +maturity = "production" +updated_date = "2020/12/07" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use +the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Shell Execution via Apple Scripting" +references = [ + "https://developer.apple.com/library/archive/technotes/tn2065/_index.html", + "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", +] +risk_score = 47 +rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f" +severity = "medium" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"] +type = "eql" + +query = ''' +sequence by host.id with maxspan=5s + [process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid + [process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.ppid +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"