Skip to content

DET0414 Detection of AppleScript-Based Execution on macOS

Item Value
ID DET0414
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1059.002 (AppleScript)

Analytics

macOS

AN1164

Detects AppleScript execution via ‘osascript’, NSAppleScript/OSAScript APIs, and abnormal application control events across user sessions. Focuses on causal chains such as osascript spawning child processes, script-induced keystrokes, or API-backed dialog spoofing.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process: spawn, exec
Mutable Elements
Field Description
ScriptInvocationParent Identify rare or suspicious parent processes launching AppleScript (e.g., Safari, Mail, msedge).
TimeWindow Flag AppleScript execution during user-inactive hours, especially for automation frameworks.
AppleEventActionType Filter AppleEvent-based automation involving UI interaction, keystrokes, or remote control.
TargetApplicationSet Scope AppleScript use toward security-sensitive apps (e.g., Terminal, ssh, Keychain Access).
ExecutionPathRegex Restrict to unusual paths like /tmp/, ~/Library/, or embedded in Automator workflows.