GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Sigma rule (View on GitHub)
1title: GUI Input Capture - macOS
2id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
3status: test
4description: Detects attempts to use system dialog prompts to capture user credentials
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
7 - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
8author: remotephone, oscd.community
9date: 2020-10-13
10modified: 2022-12-25
11tags:
12 - attack.credential-access
13 - attack.t1056.002
14logsource:
15 product: macos
16 category: process_creation
17detection:
18 selection1:
19 Image: '/usr/sbin/osascript'
20 selection2:
21 CommandLine|contains|all:
22 - '-e'
23 - 'display'
24 - 'dialog'
25 - 'answer'
26 selection3:
27 CommandLine|contains:
28 - 'admin'
29 - 'administrator'
30 - 'authenticate'
31 - 'authentication'
32 - 'credentials'
33 - 'pass'
34 - 'password'
35 - 'unlock'
36 condition: all of selection*
37falsepositives:
38 - Legitimate administration tools and activities
39level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
As MacAdmins our goal is to automate workflows when ever possible. The advantages of automation are great. You immediately reduce the workload, but also reduce the potential for someone to make a m…
Read More
Related rules
- CredUI.DLL Loaded By Uncommon Process
- PUA - Mouse Lock Execution
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- ADCS Certificate Template Configuration Vulnerability