IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Prompt for Credentials with OSASCRIPT
editPrompt for Credentials with OSASCRIPT
editIdentifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Credential Access
- Data Source: Elastic Defend
Version: 104
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editRule query
editprocess where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and process.command_line : "osascript*display dialog*password*"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Input Capture
- ID: T1056
- Reference URL: https://attack.mitre.org/techniques/T1056/
-
Sub-technique:
- Name: GUI Input Capture
- ID: T1056.002
- Reference URL: https://attack.mitre.org/techniques/T1056/002/