AppleScript process executed with a rare command line

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-05-13
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

AppleScript Analytics

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

Informational

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.

Variations

AppleScript process executed with a rare command line possibly using Finder to perform operations

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

High

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.


AppleScript process executed with a rare command line with an unusual password prompt

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

Low

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.


AppleScript process executed with a rare command line that possibly injects JavaScript into a browser

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

Low

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.


AppleScript process executed with a rare command line that possibly establishes persistence

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

Low

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.


AppleScript process executed with a rare command line that possibly installs a proxy

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

Low

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.


AppleScript process executed with a rare command line performing clipboard access

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Command and Scripting Interpreter: AppleScript (T1059.002)

Severity

Low

Description

The AppleScript interpreter process was executed with an uncommon command line.

Attacker's Goals

Perform various actions via AppleScript code, such as establishing persistence, evading detection, executing secondary payloads or injecting remote processes.

Investigative actions

  • Analyze the command line and determine whether it performs any malicious/suspicious actions.
  • Check the events generated by the process or its children for potential malicious behavior.
  • Check whether the process was executed in an unusual way.