T1059.002 AppleScript Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "osascript", "do shell script", "display dialog",
  "System Events", "keystroke", "key code",
  "tell application", "open location",
  "NSAppleScript", "OSAScript",
  "curl", "wget", "python", "bash -c",
  "launchctl", "Launch Agent"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "osascript" or ProcessCommandLine has "osascript"
| where ProcessCommandLine has_any (SuspiciousPatterns)
| extend FakeDialog = ProcessCommandLine has "display dialog"
| extend ShellExec = ProcessCommandLine has "do shell script"
| extend KeyInjection = ProcessCommandLine has_any ("keystroke", "key code")
| extend NetworkActivity = ProcessCommandLine has_any ("curl", "wget", "open location")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FakeDialog, ShellExec, KeyInjection, NetworkActivity
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate macOS automation workflows using Automator or Shortcuts that invoke osascript
Developer tools and IDEs (Xcode, VS Code) that use AppleScript for macOS integration
IT management tools (Jamf, Munki) that use osascript for user notifications and prompts

Splunk

spl

index=osquery OR index=macos sourcetype="osquery:results" OR sourcetype="macos_secure_event"
  (name="process_events" OR name="processes")
  (columns.path="*/osascript" OR columns.cmdline="*osascript*")
| eval cmdline=coalesce(columns.cmdline, cmdline)
| eval FakeDialog=if(match(cmdline, "display dialog"), 1, 0)
| eval ShellExec=if(match(cmdline, "do shell script"), 1, 0)
| eval KeyInjection=if(match(cmdline, "(keystroke|key code)"), 1, 0)
| eval NetworkActivity=if(match(cmdline, "(curl|wget|open location)"), 1, 0)
| eval SuspicionScore=FakeDialog + ShellExec + KeyInjection + NetworkActivity
| where SuspicionScore > 0
| table _time, host, columns.uid, columns.path, cmdline, columns.parent, FakeDialog, ShellExec, KeyInjection, NetworkActivity, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution osquery process_events

Required Sourcetypes

osquery:results macos_secure_event

False Positives

Legitimate macOS automation workflows using Automator or Shortcuts that invoke osascript
Developer tools and IDEs (Xcode, VS Code) that use AppleScript for macOS integration
IT management tools (Jamf, Munki) that use osascript for user notifications and prompts

Elastic Security (EQL)

eql

process where host.os.type == "macos" and event.type == "start" and
  (process.name == "osascript" or process.executable like "*/osascript") and
  (
    process.command_line like "*display dialog*" or
    process.command_line like "*do shell script*" or
    process.command_line like "*keystroke*" or
    process.command_line like "*key code*" or
    process.command_line like "*open location*" or
    process.command_line like "*System Events*" or
    process.command_line like "*NSAppleScript*" or
    process.command_line like "*OSAScript*" or
    process.command_line like "*launchctl*" or
    process.command_line like "*Launch Agent*" or
    process.command_line like "*curl*" or
    process.command_line like "*wget*" or
    process.command_line like "*bash -c*" or
    process.command_line like "*python*"
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security (macOS agent) Elastic Agent with System integration OSQuery via Fleet

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate IT automation scripts using osascript for managed macOS fleet operations (e.g., Jamf Pro, Munki, Chef)
Developer toolchains invoking NSAppleScript or OSAScript APIs during application build or testing (e.g., Xcode, Automator workflows)
Calendar.app alarms and Mail rules that invoke osascript as part of approved user-configured workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS HostIP,
  username AS AccountName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  CATEGORYNAME(category) AS CategoryName,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Apple macOS', 'OSQuery', 'Carbon Black EDR', 'CrowdStrike Falcon')
  AND (
    "Process Name" ILIKE '%osascript%'
    OR "Command" ILIKE '%osascript%'
  )
  AND (
    "Command" ILIKE '%display dialog%'
    OR "Command" ILIKE '%do shell script%'
    OR "Command" ILIKE '%keystroke%'
    OR "Command" ILIKE '%key code%'
    OR "Command" ILIKE '%open location%'
    OR "Command" ILIKE '%System Events%'
    OR "Command" ILIKE '%NSAppleScript%'
    OR "Command" ILIKE '%OSAScript%'
    OR "Command" ILIKE '%launchctl%'
    OR "Command" ILIKE '%Launch Agent%'
    OR "Command" ILIKE '%curl%'
    OR "Command" ILIKE '%wget%'
    OR "Command" ILIKE '%bash -c%'
    OR "Command" ILIKE '%python%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Apple macOS Unified Log (via syslog forwarder or DSM) OSQuery results forwarded to QRadar via syslog CrowdStrike Falcon or Carbon Black EDR with QRadar integration

Required Tables

events

False Positives

MDM platforms (Jamf Pro, Mosyle) executing osascript during policy enforcement or software deployment tasks
Security tooling such as endpoint agents that invoke osascript to query macOS system state or display user notifications
Developer or QA automation running AppleScript UI testing frameworks such as applesimutils or XCTest UI

Sumo Logic CSE

sql

(_sourceCategory=*/osquery OR _sourceCategory=*/macos/security OR _sourceCategory=macos/edr)
| where name = "process_events" OR name = "processes" OR _sourceName matches "*process*"
| where columns_path matches "*/osascript" OR cmdline matches "*osascript*" OR columns_cmdline matches "*osascript*"
| eval cmdline = if (!isNull(columns_cmdline), columns_cmdline, cmdline)
| eval FakeDialog      = if (cmdline matches "*display dialog*", 1, 0)
| eval ShellExec       = if (cmdline matches "*do shell script*", 1, 0)
| eval KeyInjection    = if (cmdline matches "*keystroke*" OR cmdline matches "*key code*", 1, 0)
| eval NetworkActivity = if (cmdline matches "*curl*" OR cmdline matches "*wget*" OR cmdline matches "*open location*", 1, 0)
| eval PersistenceHint = if (cmdline matches "*launchctl*" OR cmdline matches "*Launch Agent*", 1, 0)
| eval SuspicionScore  = FakeDialog + ShellExec + KeyInjection + NetworkActivity + PersistenceHint
| where SuspicionScore > 0
| fields _time, host, columns_uid, columns_path, cmdline, columns_parent, FakeDialog, ShellExec, KeyInjection, NetworkActivity, PersistenceHint, SuspicionScore
| sort by _time desc

high severity medium confidence

Data Sources

OSQuery results via Sumo Logic Installed Collector macOS Unified Log via Sumo Logic macOS Source EDR telemetry (CrowdStrike, Carbon Black) forwarded to Sumo Logic

Required Tables

_sourceCategory=*/osquery _sourceCategory=*/macos/security _sourceCategory=macos/edr

False Positives

Automated deployment tools using AppleScript to configure macOS system preferences during imaging or provisioning workflows
AppleScript-based GUI automation in CI/CD pipelines for macOS application testing (e.g., GitHub Actions macOS runners)
Legitimate productivity applications (e.g., Alfred, Keyboard Maestro) executing osascript to perform user-configured automation macros

Google Chronicle / SecOps

yaral

rule t1059_002_applescript_suspicious_osascript {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects suspicious AppleScript (osascript) execution matching T1059.002 patterns — credential harvesting dialogs, shell execution, keystroke injection, network downloads, and persistence via Launch Agents."
    mitre_attack_tactic    = "Execution"
    mitre_attack_technique = "T1059.002"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    platform        = "macOS"
    reference       = "https://attack.mitre.org/techniques/T1059/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.asset.platform_software.platform = "APPLE_MAC"
    (
      $e.target.process.file.full_path = /\/osascript$/ nocase or
      $e.target.process.command_line = /osascript/ nocase
    )
    (
      $e.target.process.command_line = /display dialog/ nocase or
      $e.target.process.command_line = /do shell script/ nocase or
      $e.target.process.command_line = /keystroke/ nocase or
      $e.target.process.command_line = /key code/ nocase or
      $e.target.process.command_line = /open location/ nocase or
      $e.target.process.command_line = /System Events/ nocase or
      $e.target.process.command_line = /NSAppleScript/ nocase or
      $e.target.process.command_line = /OSAScript/ nocase or
      $e.target.process.command_line = /launchctl/ nocase or
      $e.target.process.command_line = /LaunchAgent/ nocase or
      $e.target.process.command_line = /curl/ nocase or
      $e.target.process.command_line = /wget/ nocase or
      $e.target.process.command_line = /bash -c/ nocase
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM via Palo Alto Cortex XDR macOS sensor Chronicle macOS Endpoint Forwarder OSQuery-based Chronicle ingestion pipeline

Required Tables

UDM entity: PROCESS_LAUNCH on APPLE_MAC platform

False Positives

macOS IT management tools executing osascript during automated software installs, preference configuration, or user onboarding scripts
AppleScript workflows triggered by approved Calendar.app alarms or Mail rules configured by end users
Legitimate application frameworks such as Electron or Qt invoking OSAScript APIs internally for macOS native dialog support

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /osascript/i OR CommandLine = /osascript/i
| CommandLine = /display dialog|do shell script|keystroke|key code|open location|System Events|NSAppleScript|OSAScript|launchctl|LaunchAgent|curl|wget|bash -c|python/i
| eval FakeDialog      = if(CommandLine =~ /display dialog/i, "true", "false")
| eval ShellExec       = if(CommandLine =~ /do shell script/i, "true", "false")
| eval KeyInjection    = if(CommandLine =~ /keystroke|key code/i, "true", "false")
| eval NetworkActivity = if(CommandLine =~ /curl|wget|open location/i, "true", "false")
| eval PersistenceHint = if(CommandLine =~ /launchctl|LaunchAgent/i, "true", "false")
| eval SuspicionSignals = (if(FakeDialog = "true", 1, 0)) + (if(ShellExec = "true", 1, 0)) + (if(KeyInjection = "true", 1, 0)) + (if(NetworkActivity = "true", 1, 0)) + (if(PersistenceHint = "true", 1, 0))
| where SuspicionSignals > 0
| table([ComputerName, UserName, FileName, ImageFileName, CommandLine, ParentBaseFileName, FakeDialog, ShellExec, KeyInjection, NetworkActivity, PersistenceHint, SuspicionSignals, @timestamp])
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (macOS) — ProcessRollup2 event stream Falcon Data Replicator (FDR) feeding LogScale

Required Tables

ProcessRollup2

False Positives

Falcon-enrolled macOS endpoints running Jamf Pro or other MDM policies that invoke osascript for software management or user notification
Security red-team exercises or authorized penetration tests using osascript payloads on Falcon-managed endpoints
Developer workstations building or testing macOS applications that exercise AppleScript or NSAppleScript APIs during normal development workflows

AppleScript

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections