← Back to Explore
sigmalowHunting
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Detection Query
selection_img:
Image|endswith: /osascript
selection_cli_1:
CommandLine|contains|all:
- -e
- display
- dialog
- answer
selection_cli_2:
CommandLine|contains:
- admin
- administrator
- authenticate
- authentication
- credentials
- pass
- password
- unlock
condition: all of selection_*
Author
remotephone, oscd.community
Created
2020-10-13
Data Sources
macosProcess Creation Events
Platforms
macos
References
Tags
attack.collectionattack.credential-accessattack.t1056.002
Raw Content
title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: test
description: Detects attempts to use system dialog prompts to capture user credentials
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
- https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
author: remotephone, oscd.community
date: 2020-10-13
modified: 2025-12-05
tags:
- attack.collection
- attack.credential-access
- attack.t1056.002
logsource:
product: macos
category: process_creation
detection:
selection_img:
Image|endswith: '/osascript'
selection_cli_1:
CommandLine|contains|all:
- '-e'
- 'display'
- 'dialog'
- 'answer'
selection_cli_2:
CommandLine|contains:
- 'admin'
- 'administrator'
- 'authenticate'
- 'authentication'
- 'credentials'
- 'pass'
- 'password'
- 'unlock'
condition: all of selection_*
falsepositives:
- Legitimate administration tools and activities
level: low