[New Rules] macOS Unified Logs Apple Event Detections

detection_rules/etc/non-ecs-schema.json

@@ -282,5 +282,8 @@
   "metrics-*": {
     "system.process.cpu.total.norm.pct": "double",
     "system.cpu.total.norm.pct": "double"
+  },
+  "logs-unified_logs.log-*": {
+    "message": "keyword"
   }
 }

hunting/macos/docs/execution_do_shell_script_via_apple_events.md

@@ -0,0 +1,45 @@
+# Do Shell Script Execution via Apple Events
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies `do shell script` execution via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type `syso,exec` corresponds to the `do shell script` command, which allows AppleScript to execute arbitrary shell commands. While `do shell script` has many legitimate uses, it is heavily abused by macOS stealers to run shell commands for reconnaissance, credential theft, data exfiltration, and payload execution. This hunt returns hosts and event counts for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript.
+
+- **UUID:** `447987db-4501-416b-b3b3-9176871a6b20`
+- **Integration:** [unified_logs](https://docs.elastic.co/integrations/unified_logs)
+- **Language:** `[ES|QL]`
+- **Source File:** [Do Shell Script Execution via Apple Events](../queries/execution_do_shell_script_via_apple_events.toml)
+
+## Query
+
+```sql
+FROM logs-unified_logs.log-*
+| WHERE @timestamp > NOW() - 7 day
+| WHERE host.os.type == "macos" AND event.dataset == "unified_logs.log" AND message LIKE "*syso,exec*"
+| STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
+| WHERE event_count >= 3
+| SORT event_count DESC
+```
+
+## Notes
+
+- This hunt returns hosts with `syso,exec` Apple Events aggregated by host and count, sorted by highest count.
+- A high volume of `do shell script` executions from a single host may indicate automated malicious activity or stealer malware running shell commands in bulk.
+- Pivot by `host.name` and review the `message` field contents to understand what shell commands are being executed.
+- Correlate with other Apple Event types (`syso,dlog`, `Jons,gClp`, `syso,ntoc`) on the same host to identify potential stealer activity chains.
+- If private data is enabled in Unified Logs, the `message` field may contain the actual shell command being executed, providing additional triage context.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.002](https://attack.mitre.org/techniques/T1059/002)
+
+## References
+
+- https://pberba.github.io/security/2026/02/21/aemonitor/
+- https://www.elastic.co/docs/reference/integrations/unifiedlogs
+
+## License
+
+- `Elastic License v2`

hunting/macos/queries/execution_do_shell_script_via_apple_events.toml

@@ -0,0 +1,37 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies `do shell script` execution via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple
+Event type `syso,exec` corresponds to the `do shell script` command, which allows AppleScript to execute arbitrary shell
+commands. While `do shell script` has many legitimate uses, it is heavily abused by macOS stealers to run shell commands
+for reconnaissance, credential theft, data exfiltration, and payload execution. This hunt returns hosts and event counts
+for `syso,exec` Apple Events, enabling analysts to identify unusual volumes of shell execution via AppleScript. This
+detection leverages the `com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+integration = ["unifiedlogs"]
+uuid = "447987db-4501-416b-b3b3-9176871a6b20"
+name = "Do Shell Script Execution via Apple Events"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "This hunt returns hosts with `syso,exec` Apple Events aggregated by host and count, sorted by highest count.",
+    "A high volume of `do shell script` executions from a single host may indicate automated malicious activity or stealer malware running shell commands in bulk.",
+    "Pivot by `host.name` and review the `message` field contents to understand what shell commands are being executed.",
+    "Correlate with other Apple Event types (`syso,dlog`, `Jons,gClp`, `syso,ntoc`) on the same host to identify potential stealer activity chains.",
+    "If private data is enabled in Unified Logs, the `message` field may contain the actual shell command being executed, providing additional triage context.",
+]
+mitre = ["T1059.002"]
+query = [
+'''
+FROM logs-unifiedlogs.unifiedlogs-*
+| WHERE @timestamp > NOW() - 7 day
+| WHERE host.os.type == "macos" AND event.dataset == "unifiedlogs.log" AND apple_event.type_code == "syso,exec"
+| STATS event_count = COUNT(*), first_seen = MIN(@timestamp), last_seen = MAX(@timestamp) BY host.name
+| WHERE event_count >= 3
+| SORT event_count DESC
+'''
+]
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]

rules/integrations/unified_logs/collection_clipboard_access_via_applescript.toml

@@ -0,0 +1,99 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects clipboard data access via AppleScript using macOS Unified Logs Apple Event telemetry. The Apple Event type
+`Jons,gClp` corresponds to the `the clipboard` or `get the clipboard` AppleScript command, which retrieves the contents
+of the system clipboard. macOS stealers commonly access clipboard data to harvest cryptocurrency wallet addresses,
+passwords, sensitive tokens, or other data the user has recently copied. This detection leverages the
+`com.apple.appleevents` subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Clipboard manager applications, productivity tools, and text processing utilities may legitimately access clipboard
+    contents via AppleScript. Review the source process and context to determine if the activity is expected.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Clipboard Access via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Clipboard Access via AppleScript
+
+This rule detects the `Jons,gClp` Apple Event, which indicates an AppleScript accessed the system clipboard. Clipboard access is a common technique used by macOS stealers to harvest sensitive data such as cryptocurrency wallet addresses, passwords, or tokens.
+
+### Possible investigation steps
+
+- Review the `message` field for the full Apple Event debug output to understand the clipboard access context.
+- Identify the source process by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Look for related Apple Events on the same host, such as `syso,exec` (shell execution) or network connections, which may indicate exfiltration of clipboard contents.
+- Check for recent `syso,dlog` (display dialog) events that may indicate a fake prompt was used to trick the user into copying sensitive data.
+- Review the host for known stealer malware indicators, unauthorized scripts, or recently modified files.
+- Check if the clipboard access coincides with the user interacting with sensitive applications (password managers, cryptocurrency wallets, banking sites).
+
+### False positive analysis
+
+- Clipboard manager applications (e.g., Paste, CopyClip) frequently access clipboard contents.
+- Productivity tools and text editors with clipboard integration may trigger this rule.
+- Automation workflows (Shortcuts, Automator) that process clipboard data.
+
+### Response and remediation
+
+- If clipboard access is determined to be malicious, assume sensitive data may have been captured and take appropriate action (rotate credentials, move cryptocurrency funds, etc.).
+- Isolate the affected host and investigate the full attack chain.
+- Remove any malicious scripts, applications, or persistence mechanisms.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "28fd38cf-43c0-4904-b756-8ed9694e8f13"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Collection",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "Jons,gClp"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1115"
+name = "Clipboard Data"
+reference = "https://attack.mitre.org/techniques/T1115/"
+
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "apple_event.type_code",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]

rules/integrations/unified_logs/credential_access_hidden_text_password_prompt_via_applescript.toml

@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2026/03/23"
+integration = ["unifiedlogs"]
+maturity = "production"
+updated_date = "2026/03/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the use of AppleScript's `display dialog` with hidden text input (`htxt=true`) via macOS Unified Logs Apple Event
+telemetry. The Apple Event type `syso,dlog` corresponds to the AppleScript `display dialog` command, and the `htxt=true`
+parameter indicates the dialog is configured to mask user input, which is characteristic of a password prompt. While this
+pattern has legitimate uses in authentication workflows and IT tooling, it is also commonly abused by macOS stealers to
+present deceptive credential harvesting dialogs. Triage should focus on identifying the source process and determining
+whether the prompt is part of an expected application workflow. This detection leverages the `com.apple.appleevents`
+subsystem debug logs and does not require private data enablement.
+"""
+false_positives = [
+    """
+    Legitimate applications or scripts may use `display dialog` with hidden text input for password prompts. Review the
+    source process and the context of the dialog to determine if the activity is expected. Common legitimate uses include
+    IT administration scripts, password managers, or application authentication flows.
+    """,
+]
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Hidden Text Password Prompt via AppleScript"
+note = """## Triage and analysis
+
+### Investigating Hidden Text Password Prompt via AppleScript
+
+This rule detects AppleScript `display dialog` commands configured with hidden text input. The Apple Event `syso,dlog` with `htxt=true` in macOS Unified Logs indicates a dialog box designed to capture sensitive input such as passwords. This pattern has legitimate uses but is also a known technique used by macOS stealers to harvest credentials via deceptive prompts.
+
+### Possible investigation steps
+
+- Review the `message` field to examine the full Apple Event debug output, including any dialog text (`dtxt`) that may reveal the prompt message shown to the user.
+- Identify the source process responsible for the Apple Event by correlating timestamps with process execution logs from Elastic Defend or other endpoint telemetry.
+- Check for related Apple Events in the same time window from the same host, such as `syso,exec` (do shell script) or network activity, which may indicate post-credential-harvest exfiltration.
+- Investigate whether the dialog text references system-level prompts (e.g., "System Preferences", "Keychain", "macOS Update") commonly impersonated by stealers.
+- Review the host for recently installed or modified applications, scripts, or LaunchAgents that could be the source of the AppleScript execution.
+
+### False positive analysis
+
+- IT administration tools may use AppleScript dialogs for legitimate authentication workflows. Verify the source application and whether it is part of standard IT tooling.
+- Password managers or security tools may trigger this pattern when prompting for master passwords.
+- Developer or automation scripts may use `display dialog` with hidden input for internal tooling.
+
+### Response and remediation
+
+- If the prompt is determined to be malicious, immediately isolate the affected host to prevent credential exfiltration.
+- Reset any credentials that may have been entered into the dialog.
+- Identify and remove the malicious script, application, or persistence mechanism responsible for the prompt.
+- Check for lateral movement or additional compromised hosts using the same technique.
+- Review endpoint telemetry for evidence of data exfiltration following the credential capture.
+"""
+references = [
+    "https://pberba.github.io/security/2026/02/21/aemonitor/",
+    "https://www.elastic.co/docs/reference/integrations/unifiedlogs",
+]
+risk_score = 47
+rule_id = "699f3a9b-4e4c-43ce-b612-04580766c69f"
+severity = "medium"
+tags = [
+    "Domain: macOS",
+    "Data Source: macOS Unified Logs",
+    "Data Source: Unified Logs",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Tactic: Credential Access",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index
+| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND apple_event.type_code == "syso,dlog"
+  AND apple_event.parameters == "htxt"
+| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, apple_event.type_code, apple_event.parameters, message
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1056"
+name = "Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/"
+[[rule.threat.technique.subtechnique]]
+id = "T1056.002"
+name = "GUI Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/002/"
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "host.name",
+    "host.id",
+    "message",
+    "event.dataset",
+    "process.name",
+    "process.executable",
+    "user.name",
+]