EXPLORE
← Back to Explore
sigmamediumHunting

Clipboard Access Via OSAScript

Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts

MITRE ATT&CK

collectionexecution

Detection Query

selection:
  Image|endswith: /osascript
  CommandLine|contains|all:
    - " -e "
    - clipboard
filter_optional_opencode:
  ParentImage|endswith: opencode
  CommandLine|contains|all:
    - osascript
    - " -e "
    - set imageData to the clipboard
    - set fileRef
condition: selection and not 1 of filter_optional_*

Author

Sohan G (D4rkCiph3r)

Created

2023-01-31

Data Sources

macosProcess Creation Events

Platforms

macos

Tags

attack.collectionattack.executionattack.t1115attack.t1059.002
Raw Content
title: Clipboard Access Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
references:
    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2026-05-22
tags:
    - attack.collection
    - attack.execution
    - attack.t1115
    - attack.t1059.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains|all:
            - ' -e '
            - 'clipboard'
    filter_optional_opencode:
        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
        ParentImage|endswith: 'opencode'
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'set imageData to the clipboard'
            - 'set fileRef'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate clipboard utilities and automation scripts that read or write clipboard content
    - Developer tools and IDEs that use osascript for clipboard integration
level: medium