
Summary
This detection rule identifies potential malicious attempts to capture user credentials on macOS systems through the manipulation of system dialog prompts. It focuses on the use of the `osascript` command, which is a scripting language that interacts with various macOS applications. The rule specifies a series of conditions that must be met to trigger an alert. These conditions detect the invocation of `osascript` with command-line arguments that suggest it is creating a dialog or prompting the user for input, particularly if the dialog prompts are related to sensitive credentials. The conditions require that the command line contains both terms indicative of dialog creation (e.g., 'display', 'dialog', 'answer') and terms related to authentication (e.g., 'admin', 'password', 'credentials'). By monitoring these indicators, the rule seeks to catch automated scripts or malicious activity attempting to trick users into entering sensitive information.
Categories
- macOS
Data Sources
- Process
ATT&CK Techniques
- T1056.002
Created: 2020-10-13