Description: "From my testing, it seems that our malicious AppleScript is executed as a child process of UserScriptService. I ASSUME that when an app like Mail.app runs an Applescript it makes an internal API call to this process to execute the script. The child process spawned by UserScriptService has a -T flag which specifies the application that made the request to spawn this AppleScript. "
What The Data Shows:The query below starts by querying the process table for the PID of Mail. Next, it queries the process_events table for all the command lines that initiated a process that have a prefix of “osascript”. Finally, the query extracts the parent PID from any processes starting with “osascript” and compares the PID to the Mail app PID. Effectively this query is looking for any Applescript initiated by Mail.app
SELECT * FROM process_events WHERE cmdline like '%osascript%' AND trim(substr(cmdline,23,5)) like (SELECT pid FROM processes WHERE name='Mail');
Query #2: Creation and Modification Date
Description: With Osquery we can query the following directory~/Library/Application Scripts/com.apple.mailfor recent modifications.
SELECT f.path, datetime(f.mtime,'unixepoch') AS file_last_modified_time, datetime(f.ctime,'unixepoch') AS file_last_status_change_time, datetime(f.btime,'unixepoch') AS file_created_time, ROUND((f.size * 10e-7),4) AS size_megabytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path like "/Users/%/Library/Application Scripts/com.apple.mail/%';