diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
index 626651d96..64d39eea8 100644
--- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
+++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2021/05/26"
+updated_date = "2022/07/21"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ license = "Elastic License v2"
 name = "Apple Script Execution followed by Network Connection"
 references = [
     "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html",
-    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
 ]
 risk_score = 47
 rule_id = "47f76567-d58a-4fed-b32b-21f571e28910"
@@ -42,6 +42,11 @@ framework = "MITRE ATT&CK"
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.002"
+name = "AppleScript"
+reference = "https://attack.mitre.org/techniques/T1059/002/"
+
 
 
 [rule.threat.tactic]