T1059.002
Command and Scripting Interpreter AppleScript
Description from ATT&CK
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute. However, they may be executed from within mach-O binaries by using the macOS Native APIs NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.(Citation: Macro Malware Targets Macs)
Tests
Test #1 - Open application
Opens an application on the system. The application will be in focus after running the command.
⚠️ TCC RequiredInput Arguments:
| Argument | Type | Default Value |
|---|---|---|
| applicationName | str | Finder |
tell application "Finder" to activateDownload Files
Download .scpt Download .swift Download Binary Download Application BundleTest #2 - Launch application
Lauches an application on the system. The application will be in the background after running the command.
⚠️ TCC RequiredInput Arguments:
| Argument | Type | Default Value |
|---|---|---|
| applicationName | str | Finder |
tell application "Finder" to launchDownload Files
Download .scpt Download .swift Download Binary Download Application BundleTest #3 - Close application
Closes an application on the system.
⚠️ TCC RequiredInput Arguments:
| Argument | Type | Default Value |
|---|---|---|
| applicationName | str | Finder |
tell application "Finder" to close windowsDownload Files
Download .scpt Download .swift Download Binary Download Application BundleTest #4 - Mute Volume
Mutes the volume on the system.
set volume with output mutedDownload Files
Download .scpt Download .swift Download Binary Download Application Bundle