MITRE ATT&CK Technique
Execution T1059.002
Description

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.(Citation: SentinelOne AppleScript) AppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s <code>NSAppleScript</code> or <code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility. Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)

Supported Platforms
macOS
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-03-09T14:07:54.329Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse AppleScript for execution. AppleScript '
                'is a macOS scripting language designed to control '
                'applications and parts of the OS via inter-application '
                'messages called AppleEvents.(Citation: Apple AppleScript) '
                'These AppleEvent messages can be sent independently or easily '
                'scripted with AppleScript. These events can locate open '
                'windows, send keystrokes, and interact with almost any open '
                'application locally or remotely.\n'
                '\n'
                'Scripts can be run from the command-line via <code>osascript '
                '/path/to/script</code> or <code>osascript -e "script '
                'here"</code>. Aside from the command line, scripts can be '
                'executed in numerous ways including Mail rules, Calendar.app '
                'alarms, and Automator workflows. AppleScripts can also be '
                'executed as plain text shell scripts by adding '
                '<code>#!/usr/bin/osascript</code> to the start of the script '
                'file.(Citation: SentinelOne AppleScript)\n'
                '\n'
                'AppleScripts do not need to call <code>osascript</code> to '
                'execute. However, they may be executed from within mach-O '
                'binaries by using the macOS [Native '
                'API](https://attack.mitre.org/techniques/T1106)s\xa0'
                '<code>NSAppleScript</code>\xa0or\xa0<code>OSAScript</code>, '
                'both of which execute code independent of the '
                '<code>/usr/bin/osascript</code> command line utility.\n'
                '\n'
                'Adversaries may abuse AppleScript to execute various '
                'behaviors, such as interacting with an open SSH connection, '
                'moving to remote machines, and even presenting users with '
                'fake dialog boxes. These events cannot start applications '
                'remotely (they can start them locally), but they can interact '
                "with applications if they're already running remotely. On "
                'macOS 10.10 Yosemite and higher, AppleScript has the ability '
                'to execute [Native '
                'API](https://attack.mitre.org/techniques/T1106)s, which '
                'otherwise would require compilation and execution in a mach-O '
                'binary file format.(Citation: SentinelOne macOS Red Team) '
                'Since this is a scripting language, it can be used to launch '
                'more common techniques as well such as a reverse shell via '
                '[Python](https://attack.mitre.org/techniques/T1059/006).(Citation: '
                'Macro Malware Targets Macs)',
 'external_references': [{'external_id': 'T1059.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1059/002'},
                         {'description': 'Apple. (2016, January 25). '
                                         'Introduction to AppleScript Language '
                                         'Guide. Retrieved March 28, 2020.',
                          'source_name': 'Apple AppleScript',
                          'url': 'https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html'},
                         {'description': 'Phil Stokes. (2019, December 5). '
                                         'macOS Red Team: Calling Apple APIs '
                                         'Without Building Binaries. Retrieved '
                                         'July 17, 2020.',
                          'source_name': 'SentinelOne macOS Red Team',
                          'url': 'https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/'},
                         {'description': 'Phil Stokes. (2020, March 16). How '
                                         'Offensive Actors Use AppleScript For '
                                         'Attacking macOS. Retrieved July 17, '
                                         '2020.',
                          'source_name': 'SentinelOne AppleScript',
                          'url': 'https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/'},
                         {'description': 'Yerko Grbic. (2017, February 14). '
                                         'Macro Malware Targets Macs. '
                                         'Retrieved July 8, 2017.',
                          'source_name': 'Macro Malware Targets Macs',
                          'url': 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/'}],
 'id': 'attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'execution'}],
 'modified': '2025-10-24T17:48:39.348Z',
 'name': 'AppleScript',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Phil Stokes, SentinelOne'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['macOS'],
 'x_mitre_version': '1.3'}
Quick Actions
Edit TTP Update from Web
Back to TTPs
Dashboard About