T1059.002 CrowdStrike LogScale · LogScale

Detect AppleScript in CrowdStrike LogScale

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.002 AppleScript
Canonical reference
https://attack.mitre.org/techniques/T1059/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = ProcessRollup2
| ImageFileName = /osascript/i OR CommandLine = /osascript/i
| CommandLine = /display dialog|do shell script|keystroke|key code|open location|System Events|NSAppleScript|OSAScript|launchctl|LaunchAgent|curl|wget|bash -c|python/i
| eval FakeDialog      = if(CommandLine =~ /display dialog/i, "true", "false")
| eval ShellExec       = if(CommandLine =~ /do shell script/i, "true", "false")
| eval KeyInjection    = if(CommandLine =~ /keystroke|key code/i, "true", "false")
| eval NetworkActivity = if(CommandLine =~ /curl|wget|open location/i, "true", "false")
| eval PersistenceHint = if(CommandLine =~ /launchctl|LaunchAgent/i, "true", "false")
| eval SuspicionSignals = (if(FakeDialog = "true", 1, 0)) + (if(ShellExec = "true", 1, 0)) + (if(KeyInjection = "true", 1, 0)) + (if(NetworkActivity = "true", 1, 0)) + (if(PersistenceHint = "true", 1, 0))
| where SuspicionSignals > 0
| table([ComputerName, UserName, FileName, ImageFileName, CommandLine, ParentBaseFileName, FakeDialog, ShellExec, KeyInjection, NetworkActivity, PersistenceHint, SuspicionSignals, @timestamp])
| sort(field=@timestamp, order=desc)
high severity medium confidence

CrowdStrike LogScale (CQL) detection targeting ProcessRollup2 events where the executed image is osascript or the command line invokes it. Evaluates each event against five behavioral signal categories (fake dialog, shell execution, key injection, network activity, persistence) and surfaces any event matching at least one signal. Designed for macOS endpoints enrolled in Falcon.

Data Sources

CrowdStrike Falcon Sensor (macOS) — ProcessRollup2 event streamFalcon Data Replicator (FDR) feeding LogScale

Required Tables

ProcessRollup2

False Positives & Tuning

  • Falcon-enrolled macOS endpoints running Jamf Pro or other MDM policies that invoke osascript for software management or user notification
  • Security red-team exercises or authorized penetration tests using osascript payloads on Falcon-managed endpoints
  • Developer workstations building or testing macOS applications that exercise AppleScript or NSAppleScript APIs during normal development workflows
Download portable Sigma rule (.yml)

Other platforms for T1059.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AppleScript Credential Harvesting Dialog

    Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.

  2. Test 2AppleScript Shell Command Execution

    Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.

  3. Test 3AppleScript Keystroke Injection via System Events

    Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.007JavaScriptT1056.002GUI Input CaptureT1543.001Launch AgentT1543.004Launch DaemonT1106Native API

Same Tactic: Execution

Popular Detections