Detectionhightest

OSACompile Run-Only Execution

Detects potential suspicious run-only executions compiled using OSACompile

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Sohan G (D4rkCiph3r)Created Tue Jan 31b9d9b652-d8ed-4697-89a2-a1186ee680acmacos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains|all:
            - 'osacompile'
            - ' -x '
            - ' -e '
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.002 · AppleScript

Rule Metadata

Rule ID

b9d9b652-d8ed-4697-89a2-a1186ee680ac

Status

test

Level

high

Type

Detection

Created

Tue Jan 31

Author

Sohan G (D4rkCiph3r)

Path

rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml

Raw Tags

attack.t1059.002attack.execution

View on GitHub