Logo
Execution Methods
Overview

Execution Methods

cyberbuff cyberbuff
November 27, 2025
2 min read
security macos applescript adversary-emulation

As discussed in the macOS Security Primer, AppleScript and JXA are powerful automation tools that can be weaponized by attackers. Understanding how these techniques appear in your security logs is critical for detection engineering.

LOAS tests can be executed using five different methods, each creating distinct forensic artifacts and detection opportunities:

  1. CLI (osascript -e) - Direct command-line execution
  2. Script files (.scpt) - Pre-saved AppleScript files
  3. Swift wrappers (.swift) - AppleScript embedded in Swift
  4. Applet (.app) - Packaged as macOS applet bundles
  5. Compiled binaries - Standalone executables

These execution methods are documented in detail in the Red Canary Threat Detection Report. This documentation builds upon and expands their work.

Each method creates different traces in your security logs like different parent-child process relationships, file system events, and security audit logs. Understanding these variations is critical for building comprehensive detection rules.

The GitHub releases page provides all of these different files for each test.

If you would like to compile the files yourself, install uv and then use the following commands:

Terminal window
git clone https://github.com/cyberbuff/loas.git
cd loas
uv sync
uv run main.py build

Each of these methods generates a different set of logs based on the execution tool.

The sample Endpoint Security logs below were gathered using Mac Monitor for each execution method when retrieving clipboard content.

CLI

This is the simplest way to execute commands from this repository.

Terminal window
osascript -e "the clipboard"
CLI

Script

Download the script from the releases page and execute it with osascript.

Terminal window
osascript get_clipboard_content_using_applescript_defaults.scpt
File

Swift

Download the Swift file from the releases page and execute it with Swift.

Note: You might need to install XCode Developer Tools to run Swift files.

Terminal window
swift get_clipboard_content_using_applescript_defaults.swift
Swift

Applet

Download the .app file from the releases page and execute it.

Terminal window
open -n get_clipboard_content_using_applescript_defaults.app
App

Binary

Download the binary from the releases page and execute it.

Terminal window
./get_clipboard_content_using_applescript_defaults
Binary