Attackers can leverage builtin macOS tools like AppleScript and JXA (JavaScript for Automation) to access credentials, capture screenshots, and establish persistence without installing custom tools. Can your security controls detect these techniques?
Living Off the Orchard: Apple Script (LOAS) is a library of AppleScript and JXA tests mapped to the MITRE ATT&CK® framework that helps you answer that question. Security teams can use LOAS to quickly, portably, and reproducibly test their macOS environments using multiple execution methods, each generating different endpoint security logs.
Who Should Use LOAS?
- 🔴 Red Team - Test realistic macOS attack scenarios without custom tools.
- 🔵 Blue Team - Validate detection rules against real adversary techniques and build comprehensive macOS monitoring and alerting.
Getting Started
Ready to start testing? The easiest way is to download pre-built artifacts from GitHub releases:
# Download pre-built tests from releases# https://github.com/cyberbuff/loas/releases/latest
# Execute your first test through any of the following methods:osascript -e 'short user name of (system info)' -e 'long user name of (system info)'osascript get_user_using_system_info.scptswift get_user_using_system_info.swift./get_user_using_system_infoThe GitHub Actions workflow automatically generates all the artifacts needed for testing. However, if you want to compile them yourself:
⚠️ Security Warning: All LOAS tests should only be run in isolated lab environments or with explicit authorization. These techniques can trigger security alerts and modify system state.
# Clone and setupgit clone https://github.com/cyberbuff/loas.gitcd loasuv sync
# Validate all testsuv run main.py validate
# Generate all test artifactsuv run main.py build
# Execute your first testosascript osascripts/T1033/get_user_using_system_info.scptFor detailed instructions on writing YAML tests and contributing, see the LOAS documentation.
LLM-Optimized Documentation
Ready to use with Claude, ChatGPT, or Gemini right out of the box.
- Full Documentation - Complete technique descriptions and implementation details in plain text format
- Individual Technique Documentation - Access specific techniques at
https://loas.dev/docs/<technique-id>.mdx(e.g.,T1005.mdx,T1087.001.mdx)
Sample Prompt:
Read https://loas.dev/llms-full.txt. I want to ask questions about the techniques.
Roadmap
LOAS is actively evolving with planned enhancements:
- CI/CD Testing: GitHub Actions workflows for automated validation, ensuring atomics remain compatible as Apple deprecates and replaces APIs across macOS versions
- Expanded Technique Coverage: Adding more tests for MITRE ATT&CK® techniques beyond the current 29 implementations.
Conclusion
As macOS continues to grow in enterprise environments, understanding and defending against AppleScript and JXA abuse becomes increasingly critical. LOAS provides security teams with the tools needed to:
- Understand how threat actors weaponize legitimate macOS automation
- Test detection coverage across multiple execution vectors
- Validate security controls with MITRE ATT&CK®-mapped techniques
- Improve defensive capabilities through purple team collaboration
Resources
- GitHub Repository: https://github.com/cyberbuff/loas
- Documentation: https://loas.dev
- Latest Release: https://github.com/cyberbuff/loas/releases/latest
- MITRE ATT&CK®: macOS Matrix
- Atomic Red Team: https://github.com/redcanaryco/atomic-red-team
- Red Canary Threat Detection Report - AppleScript: https://redcanary.com/threat-detection-report/techniques/applescript/
MITRE ATT&CK® is a registered trademark of The MITRE Corporation.
Want to contribute or have questions? Open an issue on GitHub or reach out on X @cyb3rbuff
All my content is cross posted to both cyberbuff.dev/blog and Substack. The custom blog supports hierarchical subposts with integrated table of contents, enabling readers to navigate complex topics or skip familiar sections. While Substack lacks this UI customization, it provides better subscription management and notifications. I maintain both platforms to serve different reader preferences, so use whichever suits you best.