The hypothesis is that the detection of launch-questd-w-osascript indicates an adversary is attempting to execute malicious scripts or payloads through a compromised macOS service, potentially leading to ransomware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage macOS ransomware attacks before significant data encryption or exfiltration occurs.
KQL Query
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has "osascript -e do shell script \"launchctl load" and
ProcessCommandLine contains "questd"
id: 4e186f05-8cff-4afa-a0c8-4f0f0e7aeb82
name: launch-questd-w-osascript
description: |
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware.
As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform.
The query below can detect events associated with the launch of the EvilQuest executable, questd, from the shell.
Other queries related to EvilQuest ransomware can be found under the See also section below.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
tactics:
- Execution
- Impact
query: |
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has "osascript -e do shell script \"launchctl load" and
ProcessCommandLine contains "questd"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as launchd job configured to run osascript for system diagnostics or log analysis.
Filter/Exclusion: Check for com.apple.launchd jobs with known maintenance scripts or paths in /usr/sbin/ or /bin/ that are not associated with malicious activity.
Scenario: Admin Script for User Management
Description: An administrator uses osascript to interact with the macOS GUI for user account management or configuration changes.
Filter/Exclusion: Filter by script paths such as /usr/local/bin/ or /opt/admin_tools/ that are known to be used by trusted admin scripts.
Scenario: Automation Tool Integration
Description: A legitimate automation tool like AppleScript is used to interface with macOS GUI elements for tasks like file management or application control.
Filter/Exclusion: Exclude processes that originate from known automation tools such as AppleScript or osascript used in scripts located in /Library/Scripts/ or /Users/Shared/Scripts/.
Scenario: Third-Party Application GUI Interaction
Description: A legitimate third-party application uses osascript to interact with macOS GUI components for features like notifications or UI automation.
Filter/Exclusion: Exclude processes that are associated with known trusted applications (e.g., com.apple.TextEdit, com.apple.Terminal) or have paths in /Applications/ or /usr/local/.
Scenario: System Integrity Protection Bypass Attempt
Description: A legitimate system update or patching process attempts to use osascript to bypass SIP for configuration changes.
Filter/Exclusion: Filter by process names or paths associated with system updates (e.g., softwareupdate, installer) or check for presence