Clipboard Access Via OSAScript

calendar Jun 11, 2026 · attack.collection attack.execution attack.t1115 attack.t1059.002  ·
Share on: linkedin copy

Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts

Sigma rule (View on GitHub)

 1title: Clipboard Access Via OSAScript
 2id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
 3related:
 4    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
 5      type: derived
 6status: test
 7description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
 8references:
 9    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
10author: Sohan G (D4rkCiph3r)
11date: 2023-01-31
12modified: 2026-05-22
13tags:
14    - attack.collection
15    - attack.execution
16    - attack.t1115
17    - attack.t1059.002
18logsource:
19    product: macos
20    category: process_creation
21detection:
22    selection:
23        Image|endswith: '/osascript'
24        CommandLine|contains|all:
25            - ' -e '
26            - 'clipboard'
27    filter_optional_opencode:
28        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
29        ParentImage|endswith: 'opencode'
30        CommandLine|contains|all:
31            - 'osascript'
32            - ' -e '
33            - 'set imageData to the clipboard'
34            - 'set fileRef'
35    condition: selection and not 1 of filter_optional_*
36falsepositives:
37    - Legitimate clipboard utilities and automation scripts that read or write clipboard content
38    - Developer tools and IDEs that use osascript for clipboard integration
39level: medium

References

Related rules

to-top