Merge PR #6027 from @norbert791 - Fix false positives for OpenCode to some osascript related rules

fix: MacOS Scripting Interpreter AppleScript - Add filter for OpenCode
fix: Clipboard Access Via OSAScript - Filter OpenCode and update metadata
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>

Author: 3 people

rules/macos/process_creation/proc_creation_macos_applescript.yml

@@ -7,7 +7,7 @@ references:
     - https://redcanary.com/blog/applescript/
 author: Alejandro Ortuno, oscd.community
 date: 2020-10-21
-modified: 2023-02-01
+modified: 2026-05-21
 tags:
     - attack.execution
     - attack.t1059.002
@@ -21,7 +21,15 @@ detection:
             - ' -e '
             - '.scpt'
             - '.js'
-    condition: selection
+    filter_optional_opencode:
+        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
+        ParentImage|endswith: 'opencode'
+        CommandLine|contains|all:
+            - 'osascript'
+            - ' -e '
+            - 'set imageData to the clipboard'
+            - 'set fileRef'
+    condition: selection and not 1 of filter_optional_*
 falsepositives:
     - Application installers might contain scripts as part of the installation process.
 level: medium

rules/macos/process_creation/proc_creation_macos_clipboard_access_via_osascript.yml

@@ -0,0 +1,39 @@
+title: Clipboard Access Via OSAScript
+id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
+related:
+    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
+      type: derived
+status: test
+description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
+references:
+    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
+author: Sohan G (D4rkCiph3r)
+date: 2023-01-31
+modified: 2026-05-22
+tags:
+    - attack.collection
+    - attack.execution
+    - attack.t1115
+    - attack.t1059.002
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/osascript'
+        CommandLine|contains|all:
+            - ' -e '
+            - 'clipboard'
+    filter_optional_opencode:
+        # OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
+        ParentImage|endswith: 'opencode'
+        CommandLine|contains|all:
+            - 'osascript'
+            - ' -e '
+            - 'set imageData to the clipboard'
+            - 'set fileRef'
+    condition: selection and not 1 of filter_optional_*
+falsepositives:
+    - Legitimate clipboard utilities and automation scripts that read or write clipboard content
+    - Developer tools and IDEs that use osascript for clipboard integration
+level: medium