MacOS Scripting Interpreter AppleScript

Feb 1, 2023 · attack.execution attack.t1059.002 ·

Detects execution of AppleScript of the macOS scripting language AppleScript.

Sigma rule (View on GitHub)

 1title: MacOS Scripting Interpreter AppleScript
 2id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
 3status: test
 4description: Detects execution of AppleScript of the macOS scripting language AppleScript.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
 7    - https://redcanary.com/blog/applescript/
 8author: Alejandro Ortuno, oscd.community
 9date: 2020/10/21
10modified: 2023/02/01
11tags:
12    - attack.execution
13    - attack.t1059.002
14logsource:
15    category: process_creation
16    product: macos
17detection:
18    selection:
19        Image|endswith: '/osascript'
20        CommandLine|contains:
21            - ' -e '
22            - '.scpt'
23            - '.js'
24    condition: selection
25falsepositives:
26    - Application installers might contain scripts as part of the installation process.
27level: medium

References

atomic-red-team/atomics/T1059.002/T1059.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More
Going off script: Thwarting OSA, AppleScript, and JXA abuse

Experts from Red Canary, Jamf, and MITRE ATT&CK opine on ways to detect and prevent manipulation of macOS’s scripting architecture.

Read More

MacOS Scripting Interpreter AppleScript

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1059.002/T1059.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Going off script: Thwarting OSA, AppleScript, and JXA abuse

Related rules