forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexecution_shell_execution_via_apple_scripting.toml
46 lines (39 loc) · 1.4 KB
/
execution_shell_execution_via_apple_scripting.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[metadata]
creation_date = "2020/12/07"
maturity = "production"
updated_date = "2021/06/22"
[rule]
author = ["Elastic"]
description = """
Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Shell Execution via Apple Scripting"
references = [
"https://developer.apple.com/library/archive/technotes/tn2065/_index.html",
"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
]
risk_score = 47
rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[process where event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid
[process where event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"