DET0414: Detection of AppleScript-Based Execution on macOS
DET0414 is a MITRE detection strategy for AppleScript-based execution on macOS, tied to ATT&CK technique T1059.002. Its practical value is that AppleScript...
Analyst context for executives and security teams
DET0414 is a MITRE detection strategy for AppleScript-based execution on macOS, tied to ATT&CK technique T1059.002. Its practical value is that AppleScript can control applications and parts of macOS through AppleEvents, so defenders should not treat scripting activity as only an endpoint artifact; it can represent application control, user-context execution, and automation abuse that may affect incident scoping on macOS fleets.
Executive priority
Security leaders should use this object as a prompt to validate macOS monitoring readiness. The ATT&CK object does not provide official detection logic, so priority should be placed on confirming whether the organization can produce audit-quality evidence for AppleScript execution and AppleEvent-driven application interaction during an investigation. This matters for SOC coverage, IR triage, compliance evidence around endpoint monitoring, and control prioritization for macOS-heavy business units.
Technical view
The detection strategy object has no official detection text and no platforms listed directly, but it detects T1059.002 AppleScript, whose related platform is macOS and tactic is execution. SOC and detection engineering teams should validate visibility around AppleScript execution paths and AppleEvent-mediated application control, especially command-line invocation patterns such as osascript where locally supported by telemetry. IR teams should be prepared to correlate script execution with parent process, user context, target application interaction, and surrounding endpoint activity rather than relying on a single event type.
Likely telemetry
- macOS process execution telemetry, including parent/child process relationships
- Command-line arguments for script execution utilities where collected
- Endpoint security or EDR events showing AppleScript or AppleEvent-related activity
- User/session context for the executing process
- Application interaction or automation events where available
Detection direction
- Confirm that macOS endpoints actually report process execution and command-line details needed to investigate AppleScript execution.
- Correlate AppleScript-related activity with parent process, user identity, target application, and timing to distinguish expected administrative automation from suspicious execution.
- Tune for environment-specific legitimate automation to reduce false positives, especially where AppleScript is used by IT, productivity workflows, or accessibility-related tooling.
- Treat gaps in AppleEvent or application-control visibility as an investigation blind spot because the related technique involves controlling applications through inter-application messages.
- Because MITRE provides no official detection logic for DET0414, validate detections through local baselining and incident-response use cases rather than assuming ATT&CK coverage.
Mitigation priorities
- Inventory legitimate AppleScript and macOS automation use cases before enforcing restrictions or alerting broadly.
- Prioritize endpoint logging coverage for macOS process execution, command-line capture, and user context.
- Restrict or govern scripting and automation capabilities where business requirements allow, using existing macOS and enterprise endpoint control policies.
- Document approved administrative automation so SOC teams have context for triage and audit evidence.
- Integrate macOS AppleScript execution findings into IR playbooks for execution-stage investigation and scoping.
Analyst notes and limits
This take is based on DET0414 and its relationship to T1059.002 AppleScript. The supplied DET0414 fields contain no official description or detection guidance, so the recommendations focus on validation questions, telemetry classes, and defensive readiness implied by the related ATT&CK technique.
The detection strategy itself does not specify platforms, tactics, detection analytics, data sources, mitigations, or examples. The macOS and execution context comes from the related T1059.002 technique. Local environment evidence is required to determine normal AppleScript usage, feasible telemetry, and alert thresholds.
Detection of AppleScript-Based Execution on macOS
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.002 | AppleScript Sub-technique | This object detects AppleScript. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2ddb1255e225… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0414Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.