← Back to Explore
sigmamediumHunting
Clipboard Access Via OSAScript
Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
Detection Query
selection:
Image|endswith: /osascript
CommandLine|contains|all:
- " -e "
- clipboard
filter_optional_opencode:
ParentImage|endswith: opencode
CommandLine|contains|all:
- osascript
- " -e "
- set imageData to the clipboard
- set fileRef
condition: selection and not 1 of filter_optional_*
Author
Sohan G (D4rkCiph3r)
Created
2023-01-31
Data Sources
macosProcess Creation Events
Platforms
macos
References
Tags
attack.collectionattack.executionattack.t1115attack.t1059.002
Raw Content
title: Clipboard Access Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
references:
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2026-05-22
tags:
- attack.collection
- attack.execution
- attack.t1115
- attack.t1059.002
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/osascript'
CommandLine|contains|all:
- ' -e '
- 'clipboard'
filter_optional_opencode:
# OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
ParentImage|endswith: 'opencode'
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'set imageData to the clipboard'
- 'set fileRef'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate clipboard utilities and automation scripts that read or write clipboard content
- Developer tools and IDEs that use osascript for clipboard integration
level: medium