Techniques
Sample rules
GUI Input Capture - macOS
- source: sigma
- technicques:
- t1056
- t1056.002
Description
Detects attempts to use system dialog prompts to capture user credentials
Detection logic
condition: all of selection_*
selection_cli_1:
CommandLine|contains|all:
- -e
- display
- dialog
- answer
selection_cli_2:
CommandLine|contains:
- admin
- administrator
- authenticate
- authentication
- credentials
- pass
- password
- unlock
selection_img:
Image|endswith: /osascript