Detect AppleScript in IBM QRadar
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.002 AppleScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
sourceip AS HostIP,
username AS AccountName,
"Process Name" AS ProcessName,
"Command" AS CommandLine,
CATEGORYNAME(category) AS CategoryName,
QIDNAME(qid) AS EventName
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Apple macOS', 'OSQuery', 'Carbon Black EDR', 'CrowdStrike Falcon')
AND (
"Process Name" ILIKE '%osascript%'
OR "Command" ILIKE '%osascript%'
)
AND (
"Command" ILIKE '%display dialog%'
OR "Command" ILIKE '%do shell script%'
OR "Command" ILIKE '%keystroke%'
OR "Command" ILIKE '%key code%'
OR "Command" ILIKE '%open location%'
OR "Command" ILIKE '%System Events%'
OR "Command" ILIKE '%NSAppleScript%'
OR "Command" ILIKE '%OSAScript%'
OR "Command" ILIKE '%launchctl%'
OR "Command" ILIKE '%Launch Agent%'
OR "Command" ILIKE '%curl%'
OR "Command" ILIKE '%wget%'
OR "Command" ILIKE '%bash -c%'
OR "Command" ILIKE '%python%'
)
ORDER BY starttime DESC
LAST 24 HOURSDetects suspicious AppleScript (osascript) execution by correlating process name and command line fields from macOS log sources forwarded to QRadar. Covers credential harvesting dialogs, shell execution, keystroke injection, and network-based download patterns consistent with T1059.002 abuse.
Data Sources
Required Tables
False Positives & Tuning
- MDM platforms (Jamf Pro, Mosyle) executing osascript during policy enforcement or software deployment tasks
- Security tooling such as endpoint agents that invoke osascript to query macOS system state or display user notifications
- Developer or QA automation running AppleScript UI testing frameworks such as applesimutils or XCTest UI
Other platforms for T1059.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AppleScript Credential Harvesting Dialog
Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.
- Test 2AppleScript Shell Command Execution
Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.
- Test 3AppleScript Keystroke Injection via System Events
Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.
References (6)
- https://attack.mitre.org/techniques/T1059/002/
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
- https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
- https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- https://objective-see.org/
Unlock Pro Content
Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.