GUI Input Capture - macOS

 1title: GUI Input Capture - macOS
 2id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
 3status: test
 4description: Detects attempts to use system dialog prompts to capture user credentials
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
 7    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
 8author: remotephone, oscd.community
 9date: 2020-10-13
10modified: 2022-12-25
11tags:
12    - attack.collection
13    - attack.credential-access
14    - attack.t1056.002
15logsource:
16    product: macos
17    category: process_creation
18detection:
19    selection1:
20        Image: '/usr/sbin/osascript'
21    selection2:
22        CommandLine|contains|all:
23            - '-e'
24            - 'display'
25            - 'dialog'
26            - 'answer'
27    selection3:
28        CommandLine|contains:
29            - 'admin'
30            - 'administrator'
31            - 'authenticate'
32            - 'authentication'
33            - 'credentials'
34            - 'pass'
35            - 'password'
36            - 'unlock'
37    condition: all of selection*
38falsepositives:
39    - Legitimate administration tools and activities
40level: low

References

• atomic-red-team/atomics/T1056.002/T1056.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• User Interaction from bash Scripts

  

  As MacAdmins our goal is to automate workflows when ever possible. The advantages of automation are great. You immediately reduce the workload, but also reduce the potential for someone to make a m…

  
  Read More

Related rules

• CredUI.DLL Loaded By Uncommon Process
• PUA - Mouse Lock Execution
• APT31 Judgement Panda Activity
• Attempts of Kerberos Coercion Via DNS SPN Spoofing
• DNS Query Request To OneLaunch Update Service