T1059.002 Google Chronicle · YARA-L

Detect AppleScript in Google Chronicle

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.002 AppleScript
Canonical reference
https://attack.mitre.org/techniques/T1059/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1059_002_applescript_suspicious_osascript {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects suspicious AppleScript (osascript) execution matching T1059.002 patterns — credential harvesting dialogs, shell execution, keystroke injection, network downloads, and persistence via Launch Agents."
    mitre_attack_tactic    = "Execution"
    mitre_attack_technique = "T1059.002"
    severity        = "HIGH"
    confidence      = "MEDIUM"
    platform        = "macOS"
    reference       = "https://attack.mitre.org/techniques/T1059/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.asset.platform_software.platform = "APPLE_MAC"
    (
      $e.target.process.file.full_path = /\/osascript$/ nocase or
      $e.target.process.command_line = /osascript/ nocase
    )
    (
      $e.target.process.command_line = /display dialog/ nocase or
      $e.target.process.command_line = /do shell script/ nocase or
      $e.target.process.command_line = /keystroke/ nocase or
      $e.target.process.command_line = /key code/ nocase or
      $e.target.process.command_line = /open location/ nocase or
      $e.target.process.command_line = /System Events/ nocase or
      $e.target.process.command_line = /NSAppleScript/ nocase or
      $e.target.process.command_line = /OSAScript/ nocase or
      $e.target.process.command_line = /launchctl/ nocase or
      $e.target.process.command_line = /LaunchAgent/ nocase or
      $e.target.process.command_line = /curl/ nocase or
      $e.target.process.command_line = /wget/ nocase or
      $e.target.process.command_line = /bash -c/ nocase
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule that triggers on PROCESS_LAUNCH events from macOS assets where the target process is osascript and the command line contains one or more patterns associated with T1059.002 abuse. Covers all major attacker sub-patterns: phishing dialogs, shell spawning, keystroke injection, network retrieval, and Launch Agent persistence.

Data Sources

Google Chronicle UDM via Palo Alto Cortex XDR macOS sensorChronicle macOS Endpoint ForwarderOSQuery-based Chronicle ingestion pipeline

Required Tables

UDM entity: PROCESS_LAUNCH on APPLE_MAC platform

False Positives & Tuning

  • macOS IT management tools executing osascript during automated software installs, preference configuration, or user onboarding scripts
  • AppleScript workflows triggered by approved Calendar.app alarms or Mail rules configured by end users
  • Legitimate application frameworks such as Electron or Qt invoking OSAScript APIs internally for macOS native dialog support
Download portable Sigma rule (.yml)

Other platforms for T1059.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AppleScript Credential Harvesting Dialog

    Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.

  2. Test 2AppleScript Shell Command Execution

    Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.

  3. Test 3AppleScript Keystroke Injection via System Events

    Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.007JavaScriptT1056.002GUI Input CaptureT1543.001Launch AgentT1543.004Launch DaemonT1106Native API

Same Tactic: Execution

Popular Detections