1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", 6 "from": "now-9m", 7 "index": [ 8 "auditbeat-*", 9 "logs-endpoint.events.*" 10 ], 11 "language": "eql", 12 "license": "Elastic License v2", 13 "name": "Creation of Hidden Login Item via Apple Script", 14 "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", 15 "risk_score": 47, 16 "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", 17 "severity": "medium", 18 "tags": [ 19 "Elastic", 20 "Host", 21 "macOS", 22 "Threat Detection", 23 "Persistence", 24 "Execution" 25 ], 26 "threat": [ 27 { 28 "framework": "MITRE ATT&CK", 29 "tactic": { 30 "id": "TA0003", 31 "name": "Persistence", 32 "reference": "https://attack.mitre.org/tactics/TA0003/" 33 }, 34 "technique": [ 35 { 36 "id": "T1547", 37 "name": "Boot or Logon Autostart Execution", 38 "reference": "https://attack.mitre.org/techniques/T1547/", 39 "subtechnique": [ 40 { 41 "id": "T1547.011", 42 "name": "Plist Modification", 43 "reference": "https://attack.mitre.org/techniques/T1547/011/" 44 } 45 ] 46 } 47 ] 48 }, 49 { 50 "framework": "MITRE ATT&CK", 51 "tactic": { 52 "id": "TA0002", 53 "name": "Execution", 54 "reference": "https://attack.mitre.org/tactics/TA0002/" 55 }, 56 "technique": [ 57 { 58 "id": "T1059", 59 "name": "Command and Scripting Interpreter", 60 "reference": "https://attack.mitre.org/techniques/T1059/", 61 "subtechnique": [ 62 { 63 "id": "T1059.002", 64 "name": "AppleScript", 65 "reference": "https://attack.mitre.org/techniques/T1059/002/" 66 } 67 ] 68 } 69 ] 70 } 71 ], 72 "timestamp_override": "event.ingested", 73 "type": "eql", 74 "version": 1 75} 76