GUI Input Capture - macOS

 1title: GUI Input Capture - macOS
 2id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
 3status: test
 4description: Detects attempts to use system dialog prompts to capture user credentials
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
 7    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
 8author: remotephone, oscd.community
 9date: 2020/10/13
10modified: 2022/12/25
11tags:
12    - attack.credential_access
13    - attack.t1056.002
14logsource:
15    product: macos
16    category: process_creation
17detection:
18    selection1:
19        Image: '/usr/sbin/osascript'
20    selection2:
21        CommandLine|contains|all:
22            - '-e'
23            - 'display'
24            - 'dialog'
25            - 'answer'
26    selection3:
27        CommandLine|contains:
28            - 'admin'
29            - 'administrator'
30            - 'authenticate'
31            - 'authentication'
32            - 'credentials'
33            - 'pass'
34            - 'password'
35            - 'unlock'
36    condition: all of selection*
37falsepositives:
38    - Legitimate administration tools and activities
39level: low

References

• atomic-red-team/atomics/T1056.002/T1056.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• User Interaction from bash Scripts

  

  As MacAdmins our goal is to automate workflows when ever possible. The advantages of automation are great. You immediately reduce the workload, but also reduce the potential for someone to make a m…

  
  Read More

Related rules

• ADCS Certificate Template Configuration Vulnerability
• ADCS Certificate Template Configuration Vulnerability with Risky EKU
• Esentutl Volume Shadow Copy Service Keys
• Suspicious Unattend.xml File Access
• Network Sniffing - Linux