- Home
- Techniques
- Enterprise
- Command and Scripting Interpreter
- AppleScript
Command and Scripting Interpreter: AppleScript
Other sub-techniques of Command and Scripting Interpreter (7)
ID | Name |
---|---|
T1059.001 | PowerShell |
T1059.002 | AppleScript |
T1059.003 | Windows Command Shell |
T1059.004 | Unix Shell |
T1059.005 | Visual Basic |
T1059.006 | Python |
T1059.007 | JavaScript/JScript |
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. [1] These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
osascript
executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang
program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python[2]. Scripts can be run from the command-line via osascript /path/to/script
or osascript -e "script here"
.
Procedure Examples
Name | Description |
---|---|
Bundlore |
Bundlore can use AppleScript to inject malicious JavaScript into a browser.[5] |
Dok |
Dok uses AppleScript to create a login item for persistence.[4] |
Mitigations
Mitigation | Description |
---|---|
Code Signing |
Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing.[3] This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper. |
Execution Prevention |
Use application control where appropriate. |
Detection
Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.
References
- Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020.
- Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.
- Steven Sande. (2013, December 23). AppleScript and Automator gain new features in OS X Mavericks. Retrieved September 21, 2018.