AN1164: Analytic 1164
Detects AppleScript execution via 'osascript', NSAppleScript/OSAScript APIs, and abnormal application control events across user sessions. Focuses on causal chains such as osascript spawning child processes, script-induced keystrokes, or API-backed dialog spoofing.
Analyst context for executives and security teams
This analytic matters because AppleScript activity on macOS can represent automation that crosses normal application boundaries: launching processes, controlling apps, sending keystrokes, or presenting dialogs. For leaders, the practical question is whether the organization can see and investigate suspicious macOS automation before it becomes an incident-handling blind spot.
Executive priority
Prioritize this where macOS endpoints support business-critical users, privileged administrators, developers, or executives. The decision value is in validating whether endpoint monitoring, SOC triage, and incident response procedures can explain unusual osascript use, child process activity, cross-application control, and user-session automation. This also supports audit and readiness discussions around macOS visibility rather than assuming Windows-focused controls provide equivalent coverage.
Technical view
For SOC and detection engineering teams, validate telemetry for macOS AppleScript execution through osascript, NSAppleScript or OSAScript API-backed activity, and abnormal application control events across user sessions. Focus on causal chains described by the analytic: osascript spawning child processes, script-induced keystrokes, and API-backed dialog spoofing. Because no ATT&CK tactic or official detection logic is supplied, implementation should be environment-specific and tuned against known administrative scripts, management tooling, and legitimate automation.
Likely telemetry
- macOS process creation events, especially osascript execution
- Parent-child process relationships involving osascript and spawned child processes
- Application control or inter-process automation events across user sessions
- Evidence of script-induced keystrokes where available
- Dialog or UI interaction telemetry related to API-backed application control
Detection direction
- Confirm that macOS process lineage is collected with enough fidelity to identify osascript parent and child processes.
- Baseline approved AppleScript and osascript use by IT, developers, accessibility tools, and endpoint management workflows to reduce false positives.
- Look for abnormal causal chains rather than single events, such as osascript execution followed by unexpected child processes or user-interface automation.
- Validate visibility into user-session context, since cross-session or app-control behavior may be missed by process-only logging.
- Treat API-backed dialog spoofing and script-induced keystrokes as higher-priority investigation leads when telemetry supports them.
Mitigation priorities
- Inventory legitimate macOS automation use and owners before enforcing restrictive controls.
- Restrict or monitor unnecessary AppleScript and osascript usage on high-risk macOS systems where operationally feasible.
- Harden endpoint monitoring for macOS process lineage, application control events, and user-session activity.
- Ensure SOC playbooks include macOS automation triage, including how to distinguish approved scripts from suspicious application control behavior.
- Review macOS administrative practices so sanctioned automation is documented, signed or otherwise governed where local policy supports it.
Analyst notes and limits
This is a detection analytic object for macOS, external ID AN1164, focused on AppleScript execution and application-control behavior. The supplied object has no tactic, no official detection text, and no relationship context, so the take emphasizes validation and defensive readiness rather than specific threat attribution or guaranteed coverage.
Assessment is limited to the supplied ATT&CK fields and external reference. No active exploitation, actor usage, impact, or mapped technique relationships are provided. Local telemetry, approved automation patterns, and endpoint control capabilities are required to determine practical coverage.
Analytic 1164
Detects AppleScript execution via 'osascript', NSAppleScript/OSAScript APIs, and abnormal application control events across user sessions. Focuses on causal chains such as osascript spawning child processes, script-induced keystrokes, or API-backed dialog spoofing.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 347c4ec2e71f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1164Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.