The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

macOS spawning reverse shells


Description:  "From my testing, it seems that our malicious AppleScript is executed as a child process of UserScriptService. I ASSUME that when an app like runs an Applescript it makes an internal API call to this process to execute the script. The child process spawned by UserScriptService has a -T flag which specifies the application that made the request to spawn this AppleScript. "

What The Data Shows: The query below starts by querying the process table for the PID of Mail. Next, it queries the process_events table for all the command lines that initiated a process that have a prefix of “osascript”. Finally, the query extracts the parent PID from any processes starting  with “osascript” and compares the PID to the Mail app PID. Effectively this query is looking for any Applescript initiated by


SELECT * FROM process_events WHERE cmdline like '%osascript%' AND trim(substr(cmdline,23,5)) like (SELECT pid FROM processes WHERE name='Mail');

Query #2: Creation and Modification Date

Description: With Osquery we can query the following directory ~/Library/Application Scripts/ for recent modifications.


SELECT f.path, datetime(f.mtime,'unixepoch') AS file_last_modified_time, datetime(f.ctime,'unixepoch') AS file_last_status_change_time, datetime(f.btime,'unixepoch') AS file_created_time, ROUND((f.size * 10e-7),4) AS size_megabytes FROM file f LEFT JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path like "/Users/%/Library/Application Scripts/';

1 Comment
Carbon Black Employee
Status changed to: Approved