title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: experimental
description: Detects attempts to use system dialog prompts to capture user credentials
author: remotephone, oscd.community
date: 2020/10/13
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
logsource:
    product: macos
    category: process_creation
detection:
    selection1:
        Image:
            - '/usr/sbin/osascript'
    selection2:
        Commandline|contains|all:
            - '-e'
            - 'display'
            - 'dialog'
            - 'answer'
    selection3:
        Commandline|contains:
            - 'admin'
            - 'administrator'
            - 'authenticate'
            - 'authentication'
            - 'credentials'
            - 'pass'
            - 'password'
            - 'unlock'
    condition: all of them
falsepositives:
    - Legitimate administration tools and activities
level: low
tags:
    - attack.credential_access
    - attack.t1056.002