MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
Sigma rule (View on GitHub)
1title: MacOS Scripting Interpreter AppleScript
2id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
3status: test
4description: Detects execution of AppleScript of the macOS scripting language AppleScript.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
7 - https://redcanary.com/blog/applescript/
8author: Alejandro Ortuno, oscd.community
9date: 2020-10-21
10modified: 2026-05-21
11tags:
12 - attack.execution
13 - attack.t1059.002
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 Image|endswith: '/osascript'
20 CommandLine|contains:
21 - ' -e '
22 - '.scpt'
23 - '.js'
24 filter_optional_opencode:
25 # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
26 ParentImage|endswith: 'opencode'
27 CommandLine|contains|all:
28 - 'osascript'
29 - ' -e '
30 - 'set imageData to the clipboard'
31 - 'set fileRef'
32 condition: selection and not 1 of filter_optional_*
33falsepositives:
34 - Application installers might contain scripts as part of the installation process.
35level: medium
References
-
Experts from Red Canary, Jamf, and MITRE ATT&CK opine on ways to detect and prevent manipulation of macOS’s scripting architecture.
Read More
Related rules
- Clipboard Access Via OSAScript
- Axios NPM Compromise Indicators - macOS
- Suspicious Execution via macOS Script Editor
- JXA In-memory Execution Via OSAScript
- OSACompile Run-Only Execution