T1059.002 Sumo Logic CSE · Sumo

Detect AppleScript in Sumo Logic CSE

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.002 AppleScript
Canonical reference
https://attack.mitre.org/techniques/T1059/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*/osquery OR _sourceCategory=*/macos/security OR _sourceCategory=macos/edr)
| where name = "process_events" OR name = "processes" OR _sourceName matches "*process*"
| where columns_path matches "*/osascript" OR cmdline matches "*osascript*" OR columns_cmdline matches "*osascript*"
| eval cmdline = if (!isNull(columns_cmdline), columns_cmdline, cmdline)
| eval FakeDialog      = if (cmdline matches "*display dialog*", 1, 0)
| eval ShellExec       = if (cmdline matches "*do shell script*", 1, 0)
| eval KeyInjection    = if (cmdline matches "*keystroke*" OR cmdline matches "*key code*", 1, 0)
| eval NetworkActivity = if (cmdline matches "*curl*" OR cmdline matches "*wget*" OR cmdline matches "*open location*", 1, 0)
| eval PersistenceHint = if (cmdline matches "*launchctl*" OR cmdline matches "*Launch Agent*", 1, 0)
| eval SuspicionScore  = FakeDialog + ShellExec + KeyInjection + NetworkActivity + PersistenceHint
| where SuspicionScore > 0
| fields _time, host, columns_uid, columns_path, cmdline, columns_parent, FakeDialog, ShellExec, KeyInjection, NetworkActivity, PersistenceHint, SuspicionScore
| sort by _time desc
high severity medium confidence

Sumo Logic query targeting OSQuery process_events or macOS EDR telemetry to detect suspicious osascript invocations. Calculates a multi-signal suspicion score based on the presence of credential dialog patterns, shell execution, key injection, network download activity, and persistence mechanism references. Any event with score > 0 is surfaced for triage.

Data Sources

OSQuery results via Sumo Logic Installed CollectormacOS Unified Log via Sumo Logic macOS SourceEDR telemetry (CrowdStrike, Carbon Black) forwarded to Sumo Logic

Required Tables

_sourceCategory=*/osquery_sourceCategory=*/macos/security_sourceCategory=macos/edr

False Positives & Tuning

  • Automated deployment tools using AppleScript to configure macOS system preferences during imaging or provisioning workflows
  • AppleScript-based GUI automation in CI/CD pipelines for macOS application testing (e.g., GitHub Actions macOS runners)
  • Legitimate productivity applications (e.g., Alfred, Keyboard Maestro) executing osascript to perform user-configured automation macros
Download portable Sigma rule (.yml)

Other platforms for T1059.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AppleScript Credential Harvesting Dialog

    Expected signal: Unified Log: osascript process creation with 'display dialog' in command arguments. MDE DeviceProcessEvents with ProcessCommandLine containing the dialog text. The dialog will appear on screen — click Cancel to dismiss.

  2. Test 2AppleScript Shell Command Execution

    Expected signal: Unified Log: osascript spawning /bin/sh to execute 'whoami'. Process tree shows osascript -> sh -> whoami chain. MDE DeviceProcessEvents captures the full chain.

  3. Test 3AppleScript Keystroke Injection via System Events

    Expected signal: Unified Log: osascript process with 'keystroke' in command arguments. System Events accessibility check may generate TCC prompt. MDE DeviceProcessEvents captures the osascript invocation.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.012Hypervisor CLIT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1059.007JavaScriptT1056.002GUI Input CaptureT1543.001Launch AgentT1543.004Launch DaemonT1106Native API

Same Tactic: Execution

Popular Detections