This rule identifies potentially malicious activity on macOS systems where adversaries attempt to capture user credentials through deceptive graphical user interface (GUI) prompts. The notable technique, T1056.002, refers specifically to GUI input capture. In legitimate contexts, macOS may invoke prompts to obtain user credentials when applications require elevated privileges. Adversarial actors may exploit this mechanism to create fake prompts that resemble legitimate system dialogues to trick users into entering sensitive information, such as passwords. The rule uses a Snowflake SQL query to monitor the process `crowdstrikefdr_process` for activities involving `osascript`, a scripting language for automating interactions with macOS applications. The query checks for recent process events (within the last two hours) that include patterns indicating a dialog asking for a password. This includes monitoring elements like `display dialog` and the occurrence of the term 'password' in process invocation, which are indicators of spoofed credential prompts.