EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Execution via macOS Script Editor

Detects when the macOS Script Editor utility spawns an unusual child process.

MITRE ATT&CK

T1566T1566.002T1059T1059.002T1204T1204.001T1553
initial-accessexecutionpersistencedefense-evasion

Detection Query

selection_parent:
  ParentImage|endswith: /Script Editor
selection_img:
  - Image|endswith:
      - /curl
      - /bash
      - /sh
      - /zsh
      - /dash
      - /fish
      - /osascript
      - /mktemp
      - /chmod
      - /php
      - /nohup
      - /openssl
      - /plutil
      - /PlistBuddy
      - /xattr
      - /sqlite
      - /funzip
      - /popen
  - Image|contains:
      - python
      - perl
condition: all of selection_*

Author

Tim Rauch (rule), Elastic (idea)

Created

2022-10-21

Data Sources

macosProcess Creation Events

Platforms

macos

References

Tags

attack.t1566attack.t1566.002attack.initial-accessattack.t1059attack.t1059.002attack.t1204attack.t1204.001attack.executionattack.persistenceattack.t1553attack.defense-evasion
Raw Content
title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
    category: process_creation
    product: macos
tags:
    - attack.t1566
    - attack.t1566.002
    - attack.initial-access
    - attack.t1059
    - attack.t1059.002
    - attack.t1204
    - attack.t1204.001
    - attack.execution
    - attack.persistence
    - attack.t1553
    - attack.defense-evasion
detection:
    selection_parent:
        ParentImage|endswith: '/Script Editor'
    selection_img:
        - Image|endswith:
              - '/curl'
              - '/bash'
              - '/sh'
              - '/zsh'
              - '/dash'
              - '/fish'
              - '/osascript'
              - '/mktemp'
              - '/chmod'
              - '/php'
              - '/nohup'
              - '/openssl'
              - '/plutil'
              - '/PlistBuddy'
              - '/xattr'
              - '/sqlite'
              - '/funzip'
              - '/popen'
        - Image|contains:
              - 'python'
              - 'perl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium