MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
Sigma rule (View on GitHub)
1title: MacOS Scripting Interpreter AppleScript
2id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
3status: test
4description: Detects execution of AppleScript of the macOS scripting language AppleScript.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
7 - https://redcanary.com/blog/applescript/
8author: Alejandro Ortuno, oscd.community
9date: 2020-10-21
10modified: 2023-02-01
11tags:
12 - attack.execution
13 - attack.t1059.002
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 Image|endswith: '/osascript'
20 CommandLine|contains:
21 - ' -e '
22 - '.scpt'
23 - '.js'
24 condition: selection
25falsepositives:
26 - Application installers might contain scripts as part of the installation process.
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Experts from Red Canary, Jamf, and MITRE ATT&CK opine on ways to detect and prevent manipulation of macOS’s scripting architecture.
Read More
Related rules
- Clipboard Data Collection Via OSAScript
- JXA In-memory Execution Via OSAScript
- OSACompile Run-Only Execution
- Osacompile Execution By Potentially Suspicious Applet/Osascript
- Suspicious Execution via macOS Script Editor