.. / osascript

Star

• Execution
• Credential Access

osascript is a native macOS binary that executes OSA language scripts - AppleScript and JavaScript. To execute, it is possible to pass a script file or pipe standard input. Scripts can be plain text or compiled scripts. An adversary may use osascript for c2 communication or post-exploitation objectives.

• https://objectivebythesea.org/v2/talks/OBTS_v2_Thomas.pdf
• https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
• https://www.elastic.co/guide/en/security/current/prompt-for-credentials-with-osascript.html

Execution

1. osascript making network connections

This query detects any instance of osascript making a network connection.

Adversaries may use this technique for C2 comms via HTTP or HTTPS. Due to osascript limitations, a valid certificate needs to be presented by the C2 server for successful HTTPS C2 comms.


Execute:
• Prelude Operator: Run the "JXA Access" Chain, which contains the "Deploy a stage-0 JXA agent" TTP.
Detect:

• EDR:

  process_name = "osascript" AND netconn_count >= 1

Respond:
1. View the cmdline of osascript execution. This may provide helpful details about the src of execution.
2. View the process' parent name and parent cmdline information.
3. Check for any network connections, file writes, process creates of the osascript process and its parent.
Privileges required: User or Root
MITRE ATT&CK®: T1059.007




2. osascript executing JavaScript

This query will detect any instance of osascript executing JavaScript.

Adversaries may use this for C2 comms. Apfell is a popular red team C2 agent that leverages this technique by default.


Execute:
• Prelude Operator: Run the "JXA Access" Chain, which contains the "Deploy a stage-0 JXA agent" TTP.
Detect:

• EDR:

  process_name = "osascript" AND (process_cmdline = "*.js*" OR process_cmdline = "JavaScript")

Respond:
1. View the cmdline of osascript execution. This may provide helpful details about the src of execution.
2. View the process' parent name and parent cmdline information.
3. Check for any network connections, file writes, process creates of the osascript process and its parent.
Privileges required: User or Root
MITRE ATT&CK®: T1059.007




3. osascript shelling out

This query will detect any instance of osascript running some binary, consistent with a C2 shelling out.

Adversaries may use this for post-exploitation objectives, such as credential access by generating a prompt to ask a user for their password.


Execute:
• Prelude Operator: Run the "JXA Access" Chain, which contains the Deploy a stage-0 JXA agent TTP. Once the agent beacons back to Operator, select it and execute any macOS chain or TTP.
Detect:
• EDR:

  parent_process_name = "osascript"  AND NOT process_name = "osascript"

• When adding exclusions to this query for baselining or threat hunting, DO NOT exclude based on the process_name of a shell/interpreter, such as sh or bash. When JXA agents are ran with osascript, they will shell out using sh, bash, or some other shell.
Respond:
1. View the cmdline of osascript execution. If a true positive, this may provide exactly what the attacker is attempting to achieve.
2. View the cmdline of the target process. This will be the process launched by osascript. Is the cmdline suspicious?
Privileges required: User or Root
MITRE ATT&CK®: T1059




4. osascript executing AppleScript

This query detect any instance of osascript executing AppleScript.

Adversaries may use this for post-exploitation objectives, such as credential access by generating a prompt to ask a user for their password.


Execute:
• Prelude Operator: Run the Stage pneuma via applescript pop-up TTP.
Detect:
• EDR:

  process_name = "osascript" AND NOT (process_cmdline = "*.js*" OR process_cmdline = "JavaScript")

• Notice we are making some dangerous exclusions - this is because we want to minimize duplicate alerts since the "osascript executing JavaScript" already covers this. This will generate lots of false positives, so you'll need to exclude based on process relationship information.
Respond:
1. View the cmdline of osascript execution. If a true positive, this may provide exactly what the attacker is attempting to achieve.
2. View the process' parent information. Is the binary suspicious? Typically osascript post-exploitation execution's will be the result of an adversary "shelling out" from their C2.
Privileges required: User or Root
MITRE ATT&CK®: T1059.002




Credential Access

5. osascript prompting for password

This query is meant to detect credential access post-exploitation techniques.

Adversaries may use this for post-exploitation objectives, such as credential access by generating a prompt to ask a user for their password.


Execute:
• Prelude Operator: Run the "AppleScript - Prompt User for Password" TTP.
Detect:

• EDR:

  process_name = "osascript" and process_cmdline =  "*password*"

Respond:
1. View the cmdline of osascript execution. If a true positive, this may provide exactly what the attacker is attempting to achieve.
2. View the process' parent information. Is the binary suspicious? Typically osascript post-exploitation execution's will be the result of an adversary "shelling out" from their C2.
3. Does it make sense the parent process is asking the user for their password?
Privileges required: User or Root
MITRE ATT&CK®: T1059.002