Detect AppleScript in Elastic Security
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.002 AppleScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/002/
Elastic Detection Query
process where host.os.type == "macos" and event.type == "start" and
(process.name == "osascript" or process.executable like "*/osascript") and
(
process.command_line like "*display dialog*" or
process.command_line like "*do shell script*" or
process.command_line like "*keystroke*" or
process.command_line like "*key code*" or
process.command_line like "*open location*" or
process.command_line like "*System Events*" or
process.command_line like "*NSAppleScript*" or
process.command_line like "*OSAScript*" or
process.command_line like "*launchctl*" or
process.command_line like "*Launch Agent*" or
process.command_line like "*curl*" or
process.command_line like "*wget*" or
process.command_line like "*bash -c*" or
process.command_line like "*python*"
)Detects suspicious osascript (AppleScript) execution on macOS endpoints. Flags command lines containing patterns associated with credential harvesting dialog boxes, shell command execution, keystroke injection, network download activity, and persistence mechanisms via Launch Agents. Aligns with MITRE ATT&CK T1059.002.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT automation scripts using osascript for managed macOS fleet operations (e.g., Jamf Pro, Munki, Chef)
- Developer toolchains invoking NSAppleScript or OSAScript APIs during application build or testing (e.g., Xcode, Automator workflows)
- Calendar.app alarms and Mail rules that invoke osascript as part of approved user-configured workflows
Other platforms for T1059.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AppleScript Credential Harvesting Dialog
Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.
- Test 2AppleScript Shell Command Execution
Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.
- Test 3AppleScript Keystroke Injection via System Events
Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.
References (6)
- https://attack.mitre.org/techniques/T1059/002/
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
- https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
- https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- https://objective-see.org/
Unlock Pro Content
Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.