Description
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS Native APIs NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
Code SigningM1045
Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing.(Citation: applescript signing) This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.
Execution PreventionM1038
Use application control where appropriate.
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) uses AppleScript to create a login item for persistence.(Citation: objsee mac malware 2017) |
| S0595 | ThiefQuest | Malware | [ThiefQuest](https://attack.mitre.org/software/S0595) uses [AppleScript](https://attack.mitre.org/techniques/T1059/002)'s <code>osascript -e</code> co... |
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has utilized AppleScript to include `set keychainPassword to do shell script` to execute shell co... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) can use AppleScript to inject malicious JavaScript into a browser.(Citation: MacKeeper Bundlore Ap... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) can use osascript to generate a password-stealing prompt, duplicate files and folders, and s... |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) has used `osascript` to call itself via the `do shell script` command in the [Launch Agent](... |
Related CWE Weaknesses
References
- Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020.
- Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.
- Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020.
- Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.
Frequently Asked Questions
What is T1059.002 (AppleScript)?
T1059.002 is a MITRE ATT&CK technique named 'AppleScript'. It belongs to the Execution tactic(s). Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citat...
How can T1059.002 be detected?
Detection of T1059.002 (AppleScript) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.002?
There are 2 documented mitigations for T1059.002. Key mitigations include: Code Signing, Execution Prevention.
Which threat groups use T1059.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.