mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
40 lines
1.1 KiB
YAML
40 lines
1.1 KiB
YAML
title: GUI Input Capture - macOS
|
|
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
|
|
status: experimental
|
|
description: Detects attempts to use system dialog prompts to capture user credentials
|
|
author: remotephone, oscd.community
|
|
date: 2020/10/13
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
|
|
- https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
|
|
logsource:
|
|
product: macos
|
|
category: process_creation
|
|
detection:
|
|
selection1:
|
|
Image:
|
|
- '/usr/sbin/osascript'
|
|
selection2:
|
|
Commandline|contains|all:
|
|
- '-e'
|
|
- 'display'
|
|
- 'dialog'
|
|
- 'answer'
|
|
selection3:
|
|
Commandline|contains:
|
|
- 'admin'
|
|
- 'administrator'
|
|
- 'authenticate'
|
|
- 'authentication'
|
|
- 'credentials'
|
|
- 'pass'
|
|
- 'password'
|
|
- 'unlock'
|
|
condition: all of them
|
|
falsepositives:
|
|
- Legitimate administration tools and activities
|
|
level: low
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1056.002
|