This detection rule identifies the use of `osascript` on MacOS to execute scripts via standard input, specifically to display dialogs that may prompt users for credentials. The rule monitors relevant process activities defined by specific command patterns (e.g., dialogs asking for 'password' or 'passphrase') while excluding known legitimate processes to reduce false positives. The presence of these suspicious command patterns suggests a potential attempt at credential theft through deceptive means. The detection is part of the Elastic Defend integration, which is set up via the Elastic Agent on endpoint hosts.