Detect AppleScript in Splunk
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.002 AppleScript
- Canonical reference
- https://attack.mitre.org/techniques/T1059/002/
SPL Detection Query
index=osquery OR index=macos sourcetype="osquery:results" OR sourcetype="macos_secure_event"
(name="process_events" OR name="processes")
(columns.path="*/osascript" OR columns.cmdline="*osascript*")
| eval cmdline=coalesce(columns.cmdline, cmdline)
| eval FakeDialog=if(match(cmdline, "display dialog"), 1, 0)
| eval ShellExec=if(match(cmdline, "do shell script"), 1, 0)
| eval KeyInjection=if(match(cmdline, "(keystroke|key code)"), 1, 0)
| eval NetworkActivity=if(match(cmdline, "(curl|wget|open location)"), 1, 0)
| eval SuspicionScore=FakeDialog + ShellExec + KeyInjection + NetworkActivity
| where SuspicionScore > 0
| table _time, host, columns.uid, columns.path, cmdline, columns.parent, FakeDialog, ShellExec, KeyInjection, NetworkActivity, SuspicionScore
| sort - _timeDetects suspicious AppleScript execution via osascript using osquery process events or macOS endpoint logs. Evaluates command lines for fake dialog prompts, shell command execution, keystroke injection, and network activity. Uses a suspicion score to prioritize alerts with multiple indicators.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate macOS automation workflows using Automator or Shortcuts that invoke osascript
- Developer tools and IDEs (Xcode, VS Code) that use AppleScript for macOS integration
- IT management tools (Jamf, Munki) that use osascript for user notifications and prompts
Other platforms for T1059.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AppleScript Credential Harvesting Dialog
Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.
- Test 2AppleScript Shell Command Execution
Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.
- Test 3AppleScript Keystroke Injection via System Events
Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.
References (6)
- https://attack.mitre.org/techniques/T1059/002/
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
- https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md
- https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
- https://objective-see.org/
Unlock Pro Content
Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.