Detect AppleScript in Microsoft Sentinel
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.002 AppleScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/002/
KQL Detection Query
let SuspiciousPatterns = dynamic([
"osascript", "do shell script", "display dialog",
"System Events", "keystroke", "key code",
"tell application", "open location",
"NSAppleScript", "OSAScript",
"curl", "wget", "python", "bash -c",
"launchctl", "Launch Agent"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "osascript" or ProcessCommandLine has "osascript"
| where ProcessCommandLine has_any (SuspiciousPatterns)
| extend FakeDialog = ProcessCommandLine has "display dialog"
| extend ShellExec = ProcessCommandLine has "do shell script"
| extend KeyInjection = ProcessCommandLine has_any ("keystroke", "key code")
| extend NetworkActivity = ProcessCommandLine has_any ("curl", "wget", "open location")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FakeDialog, ShellExec, KeyInjection, NetworkActivity
| sort by Timestamp descDetects suspicious AppleScript execution via osascript on macOS endpoints using MDE. Identifies fake dialog boxes (credential harvesting), shell command execution, keystroke injection, and network activity patterns commonly used by macOS malware like Dok, ThiefQuest, and Cuckoo Stealer.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macOS automation workflows using Automator or Shortcuts that invoke osascript
- Developer tools and IDEs (Xcode, VS Code) that use AppleScript for macOS integration
- IT management tools (Jamf, Munki) that use osascript for user notifications and prompts
Other platforms for T1059.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AppleScript Credential Harvesting Dialog
Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.
- Test 2AppleScript Shell Command Execution
Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.
- Test 3AppleScript Keystroke Injection via System Events
Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.
References (6)
- https://attack.mitre.org/techniques/T1059/002/
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
- https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
- https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- https://objective-see.org/
Unlock Pro Content
Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.