AppleScript executed a shell script

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-03-17

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	AppleScript Analytics
ATT&CK Tactic	Execution (TA0002)
ATT&CK Technique	Command and Scripting Interpreter: AppleScript (T1059.002) Command and Scripting Interpreter: Unix Shell (T1059.004)
Severity	Informational

An uncommon shell script has been executed by the AppleScript interpreter process.

Use the AppleScript interpreter to execute a second stage payload.

Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions.
Check the events generated by the process or its children for potential malicious behavior.
Check whether the script was executed in an unusual way.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

An uncommon shell script has been executed by the AppleScript interpreter process.

Use the AppleScript interpreter to execute a second stage payload.

Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions.
Check the events generated by the process or its children for potential malicious behavior.
Check whether the script was executed in an unusual way.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

An uncommon shell script has been executed by the AppleScript interpreter process.

Use the AppleScript interpreter to execute a second stage payload.

Analyze both the AppleScript and executed shell script to determine whether they perform malicious actions.
Check the events generated by the process or its children for potential malicious behavior.
Check whether the script was executed in an unusual way.