Techniques
Sample rules
GUI Input Capture - macOS
- source: sigma
- technicques:
- t1056
- t1056.002
Description
Detects attempts to use system dialog prompts to capture user credentials
Detection logic
condition: all of selection*
selection1:
Image: /usr/sbin/osascript
selection2:
CommandLine|contains|all:
- -e
- display
- dialog
- answer
selection3:
CommandLine|contains:
- admin
- administrator
- authenticate
- authentication
- credentials
- pass
- password
- unlock