macOS Apple Scripts

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Apple Scripts

It's a scripting language used for task automation interacting with remote processes. It makes pretty easy to ask other processes to perform some actions. Malware may abuse these features to abuse functions exported by other processes. For example, a malware could inject arbitrary JS code in browser opened pages. Or auto click some allow permissions requested to the user;

tell window 1 of process "SecurityAgent"
     click button "Always Allow" of group 1
end tell

Here you have some examples: https://github.com/abbeycode/AppleScripts Find more info about malware using applescripts here.

Apple scripts may be easily "compiled". These versions can be easily "decompiled" with osadecompile

However, this scripts can also be exported as "Read only" (via the "Export..." option):

file mal.scpt
mal.scpt: AppleScript compiled

and tin this case the content cannot be decompiled even with osadecompile

However, there are still some tools that can be used to understand this kind of executables, read this research for more info). The tool applescript-disassembler with aevt_decompile will be very useful to understand how the script works.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousmacOS TCC Bypasses NextmacOS TCC Payloads

Last updated 4 months ago