security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ab57fb8a7ff8885bca46cab3c7d7e3d13dcb852
sigma-rules/rules/macos/execution_shell_execution_via_apple_scripting.toml
T
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
2023-09-05 14:22:01 -04:00

50 lines
1.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/07"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Shell Execution via Apple Scripting"
references = [
"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
]
risk_score = 47
rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
[process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink