Living Off the Orchard: Apple Script (LOAS)

Living Off the Orchard: Apple Script is a library of AppleScript and JXA tests mapped to the MITRE ATT&CK® framework. Security teams can use LOAS to quickly, portably, and reproducibly test their macOS environments using multiple execution methods, each generating different endpoint security logs. This makes it ideal for:

• Security testing and validation
• Endpoint detection rule development
• Red team operations
• Security research and education

Quick Start

Download Pre-built Tests

Download pre-compiled tests from the latest release. Each test is available in multiple formats:

• .scpt - AppleScript file
• .swift - Swift executable
• .app - macOS application
• Binary executable

Build from Source

# Clone the repository
git clone https://github.com/cyberbuff/loas.git
cd loas

# Install dependencies
uv sync

# Validate YAML files
uv run main.py validate

# Build all test files
uv run main.py build

Execution Methods

LOAS provides multiple execution methods, each generating different endpoint security logs. These methods are documented in the Red Canary Threat Detection Report.

1. osascript CLI

Execute commands directly from the command line:

osascript -e "the clipboard"

2. Script File

Execute a script file with osascript:

osascript get_clipboard_content_using_applescript_defaults.scpt

3. Swift

Execute using Swift (requires XCode Developer Tools):

swift get_clipboard_content_using_applescript_defaults.swift

4. Applet

Execute as a macOS application:

open -n get_clipboard_content_using_applescript_defaults.app

5. Binary

Execute as a compiled binary:

./get_clipboard_content_using_applescript_defaults

MITRE ATT&CK Coverage

LOAS implements various MITRE ATT&CK techniques using AppleScript and JXA. View the interactive coverage map:

• Interactive ATT&CK Navigator

Contributing

We welcome contributions! To add new tests:

1. Create a YAML file in the appropriate technique directory under yaml/
2. Follow the YAML structure with required fields: name, language, description, command
3. Run validation: uv run main.py validate
4. Submit a pull request

Documentation

For complete documentation, visit loas.dev:

• Execution Methods - Different ways to execute tests
• Contributing Guide - How to write YAML test files
• ATT&CK Coverage - Interactive technique coverage

Requirements

• macOS
• uv (if you are building from source)
• XCode Developer Tools (for Swift execution method)

Security Notice

This project is intended for authorized security testing, research, and educational purposes only. Users are responsible for ensuring they have proper authorization before running these tests on any system.

License

See LICENSE file for details.