
Summary
This detection rule, authored by Elastic, pertains to the identification of shell process executions on macOS systems triggered through scripting languages such as JXA (JavaScript for Automation) or AppleScript. These languages enable adversaries to execute system commands using functions like `doShellScript`. The primary focus of this rule is to monitor for such activities in the form of processes, specifically looking for script calls that leverage the `osascript` command executed with `-e` arguments, which heavily hints at unauthorized script execution. The detection mechanism is structured around a sequence query that captures processes where `osascript` and shell interpreters (like `sh`, `bash`, `zsh`) come into play, thus allowing the identification of potentially malicious scripted actions.
Categories
- macOS
- Endpoint
Data Sources
- Process
- Application Log
- File
- User Account
ATT&CK Techniques
- T1059
Created: 2020-12-07