Skip Navigation
Get a Demo
 
Share
Resources Webinars

The Detection Series: Open Scripting Architecture, AppleScript, and JavaScript for Automation

AppleScript, JXA, and other abuses of OSA are prevalent in macOS malware. We’ve gathered the experts to show you where to look for activity, how to develop detection analytics, and ways to test your visibility.

ON-DEMAND

1 Hour

Virtual

AppleScript, JXA, and other abuses of OSA are prevalent in macOS malware. We’ve gathered the experts to show you where to look for activity, how to develop detection analytics, and ways to test your visibility.

 

In this 60-minute webinar, experts from Jamf, MITRE ATT&CK®, and Red Canary will uncover:

  • The intricacies of Mac scripting is and why it’s so critical on macOS systems
  • How adversaries abuse AppleScript, JXA, and other scripting languages
  • How defenders can observe, detect, and emulate suspicious and malicious scripting behavior on macOS
MEET THE SPEAKERS
 
Brandon Dalton
Senior Threat Researcher | Red Canary
Brandon is a passionate and driven threat researcher who champions macOS security at Red Canary. He has worked across government, academia, and the private industry on high-stakes research and software engineering projects. These experiences have propelled him onto Red Canary’s Threat Research team, where he works closely with industry partners to improve EDR telemetry resolution for macOS detections. Additionally, Brandon also leads several internal R&D projects to aid in these objectives, predominantly in Swift and Python.
Brandon is a passionate and driven threat researcher who champions macOS security at Red Canary. He has worked across government, academia, and the private industry on high-stakes research and software engineering projects. These experiences have propelled him onto Red Canary’s Threat Research team, where he works closely with industry partners to improve EDR telemetry resolution for macOS detections. Additionally, Brandon also leads several internal R&D projects to aid in these objectives, predominantly in Swift and Python.
 
Cat Self
macOS/Linux Lead | MITRE ATT&CK
Cat Self is the Technical Product Manager for MITRE ATT&CK®️ Evaluations, macOS/Linux Lead for ATT&CK®️ and a people leader in the Cyber Threat Intelligence & Adversary Emulation department at MITRE. Cat started her cyber security career at Target as a developer building software to assess the organization's security posture where her team’s work resulted in a patent. She was Target's first female internal red team operator and helped build Target's Threat Hunting team as Target’s first full time threat hunter. Cat is a former military intelligence professional and served in an Army Airborne unit with two combat deployments. Cat pays it forward through mentorship, technical macOS open-source contributions, and public speaking. Outside of work, she is often planning an epic adventure, climbing mountains in foreign lands, or learning Chinese.
Cat Self is the Technical Product Manager for MITRE ATT&CK®️ Evaluations, macOS/Linux Lead for ATT&CK®️ and a people leader in the Cyber Threat Intelligence & Adversary Emulation department at MITRE. Cat started her cyber security career at Target as a developer building software to assess the organization's security posture where her team’s work resulted in a patent. She was Target's first female internal red team operator and helped build Target's Threat Hunting team as Target’s first full time threat hunter. Cat is a former military intelligence professional and served in an Army Airborne unit with two combat deployments. Cat pays it forward through mentorship, technical macOS open-source contributions, and public speaking. Outside of work, she is often planning an epic adventure, climbing mountains in foreign lands, or learning Chinese.
 
Ferdous Saljooki
macOS Detections Developer II | Jamf
Ferdous Saljooki is a Detections Developer for Jamf where he hunts and analyzes malware on macOS to build reliable detections. Prior to joining Jamf, he worked for organizations as a threat hunter and researcher focused on application and network threats. Ferdous has a passion for macOS security, he enjoys researching malware and understanding system internals to better protect users.
Ferdous Saljooki is a Detections Developer for Jamf where he hunts and analyzes malware on macOS to build reliable detections. Prior to joining Jamf, he worked for organizations as a threat hunter and researcher focused on application and network threats. Ferdous has a passion for macOS security, he enjoys researching malware and understanding system internals to better protect users.
 
Tony Lambert
Senior Malware Analyst | Red Canary
Tony is a professional geek who loves to jump into all things related to detection and digital forensics. After working in enterprise IT administration and detection engineering for several years, he now applies his DFIR skills to research malware, detect malicious activity, and recommend remediation paths. Tony is a natural teacher and regularly shares his findings and expertise through blogs, research reports, and presentations at conferences and events.
Tony is a professional geek who loves to jump into all things related to detection and digital forensics. After working in enterprise IT administration and detection engineering for several years, he now applies his DFIR skills to research malware, detect malicious activity, and recommend remediation paths. Tony is a natural teacher and regularly shares his findings and expertise through blogs, research reports, and presentations at conferences and events.
Tell me more about AppleScript, JXA, and OSA

AppleScript is a versatile scripting language that Apple created to help developers automate tasks, manipulate applications, and control parts of the macOS operating system. While AppleScript is the default scripting language, the Open Scripting Architecture (OSA) allows developers to leverage other scripting languages on macOS—mostly JavaScript for Automation (JXA) in practice.

Collectively, AppleScript and languages introduced via OSA boast extensive sets of powerful features that administrators and developers can use to perform local or remote automation but that adversaries also abuse to inconspicuously accomplish a variety of objectives. Some common dual purposes scripting uses on macOS include:

  • Executing shell commands
  • Modifying system files
  • Running Python scripts
  • Gathering data from macOS application
  • Displaying and manipulating graphical elements
  • Executing Objective-C code

You’ll leave the webinar with a better understanding of what AppleScript and OSA is and how adversaries leverage them to perform malicious activity.

 
 
 
 
Back to Top