JXA In-memory Execution Via OSAScript

Rule Info

Name
JXA In-memory Execution Via OSAScript
Author
Sohan G (D4rkCiph3r)
Description
Detects possible malicious execution of JXA in-memory via OSAScript
Reference
https://redcanary.com/blog/applescript/
Date
2023-01-31 00:00:00
Modified
None
Id
f1408a58-0e94-4165-b80a-da9f96cf6fc3
Tags
attack.t1059.002 attack.t1059.007 attack.execution DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f1408a58-0e94-4165-b80a-da9f96cf6fc3

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
95793d73b
Nasreddine Bencherchali
fix: filename
2023-01-31
4006145b8
Nasreddine Bencherchali
fix: order fields and optimize selection
2023-01-31
eb26d94c1
D4rkCiph3r
Update proc_creation_macos_jxa_in-memory_execution.yml
2023-01-31
f67072fdd
D4rkCiph3r
Update proc_creation_macos_jxa_in-memory_execution.yml
2023-01-31
87879f69c
D4rkCiph3r
Create proc_creation_macos_jxa_in-memory_execution.yml
2023-01-31
aa3fa9b7e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022