OSACompile Run-Only Execution

Rule Info

Name
OSACompile Run-Only Execution
Author
Sohan G (D4rkCiph3r)
Description
Detects potential suspicious run-only executions compiled using OSACompile
Reference
https://redcanary.com/blog/applescript/
Date
2023-01-31 00:00:00
Modified
None
Id
b9d9b652-d8ed-4697-89a2-a1186ee680ac
Tags
attack.t1059.002 attack.execution DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=b9d9b652-d8ed-4697-89a2-a1186ee680ac

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
fix: add ref and update description
2023-02-01
d8b17f1d9
frack113
fix title case
2023-02-01
cd58c1bae
D4rkCiph3r
Update and rename proc_creation_macos_osacompile_run-only_execution.yml to proc_creation_macos_osacompile_runonly_execution.yml
2023-01-31
ce577987a
D4rkCiph3r
Create proc_creation_macos_osacompile_run-only_execution.yml
2023-01-31
440649b08
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022