EXPLORE
Sign In
← Back to Explore
T1056.002

GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt ...

macOSWindowsLinux
5
Detections
3
Sources
2
Threat Actors

BY SOURCE

3sigma1elastic1splunk_escu

PROCEDURES (3)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (2)

FIN4RedCurl

DETECTIONS (5)

CredUI.DLL Loaded By Uncommon Process
sigmamedium
GUI Input Capture - macOS
sigmalow
Prompt for Credentials with Osascript
elastichigh
PUA - Mouse Lock Execution
sigmamedium
Windows Input Capture Using Credential UI Dll
splunk_escu