title: AppleScript (T1059.002)
id: df00tech-t1059-002
status: experimental
description: "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. Scripts can be run from the command-line via osascript /path/to/script or osascript -e 'script here'. AppleScripts can also be executed as plain text shell scripts, from within mach-O binaries using NSAppleScript or OSAScript APIs, or through Mail rules, Calendar.app alarms, and Automator workflows. Adversaries may abuse AppleScript to interact with open SSH connections, present fake dialog boxes for credential harvesting, and execute native APIs on macOS 10.10+."
references:
  - https://attack.mitre.org/techniques/T1059/002/
  - https://df00tech.com/detections/T1059.002
author: df00tech
date: 2026/04/16
tags:
  - attack.t1059.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate macOS automation workflows using Automator or Shortcuts that invoke osascript
  - "Developer tools and IDEs (Xcode, VS Code) that use AppleScript for macOS integration"
  - "IT management tools (Jamf, Munki) that use osascript for user notifications and prompts"
level: medium