LoFP / application installers might contain scripts as part of the installation process.

Techniques

• t1059
• t1059.002

Sample rules

MacOS Scripting Interpreter AppleScript

• source: sigma
• technicques:
  • t1059
  • t1059.002

Description

Detects execution of AppleScript of the macOS scripting language AppleScript.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ' -e '
  - .scpt
  - .js
  Image|endswith: /osascript