security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59da2da4740da52df15ce11139150b61cd57f9e1
sigma-rules/rules/macos/execution_shell_execution_via_apple_scripting.toml
T
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-03-05 11:41:19 -07:00

50 lines
1.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/07"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Shell Execution via Apple Scripting"
references = [
"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
]
risk_score = 47
rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
[process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink