Create proc_creation_macos_osacompile_run-only_execution.yml

SigmaHQ · Jan 31, 2023 · 440649b · 440649b
1 parent 9e51af5
commit 440649b
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/rules/macos/process_creation/proc_creation_macos_osacompile_run-only_execution.yml b/rules/macos/process_creation/proc_creation_macos_osacompile_run-only_execution.yml
@@ -0,0 +1,26 @@
+title: OSACompile run-only execution
+id: b9d9b652-d8ed-4697-89a2-a1186ee680ac
+status: experimental
+description: Detects possible malicious run-only executions compiled using OSACompile 
+references:
+    - https://redcanary.com/blog/applescript/
+author: Sohan G (D4rkCiph3r)
+date: 2023/01/31
+tags:
+    - attack.t1059.002
+    - attack.execution
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'osacompile'
+            - ' -x '
+            - ' -e '
+    condition: selection
+fields:
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high