T1059.002 AppleScript Mappings

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.(Citation: SentinelOne AppleScript)

AppleScripts do not need to call <code>osascript</code> to execute, however. They may be executed from within mach-O binaries by using the macOS Native APIs <code>NSAppleScript</code> or <code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.

Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1059.002 AppleScript
CM-6 Configuration Settings Protects T1059.002 AppleScript
CM-7 Least Functionality Protects T1059.002 AppleScript
IA-9 Service Identification and Authentication Protects T1059.002 AppleScript
SI-10 Information Input Validation Protects T1059.002 AppleScript
SI-4 System Monitoring Protects T1059.002 AppleScript
SI-7 Software, Firmware, and Information Integrity Protects T1059.002 AppleScript
SR-11 Component Authenticity Protects T1059.002 AppleScript
SR-4 Provenance Protects T1059.002 AppleScript
SR-5 Acquisition Strategies, Tools, and Methods Protects T1059.002 AppleScript
SR-6 Supplier Assessments and Reviews Protects T1059.002 AppleScript
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1059.002 Command and Scripting Interpreter: AppleScript
action.hacking.vector.Command shell Remote shell related-to T1059.002 Command and Scripting Interpreter: AppleScript