MITRE ATT&CK / T1059.002
T1059.002
AppleScript
Description
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.(Citation: SentinelOne AppleScript)AppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s <code>NSAppleScript</code> or <code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally…
Platforms
Mitigations
- M1045 — Code Signing
- M1038 — Execution Prevention
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware
- How to install theHarvester tool
- How to install MongoDB on Linux and windows
- Best Information Gathering Tools
- What is nslookup command in Linux
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →