This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Keychain Password Retrieval via Command Line Attempt to Remove File Quarantine Attribute »

› ›

Prompt for Credentials with OSASCRIPT

edit

Prompt for Credentials with OSASCRIPT

edit

Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.

Rule type: eql

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
macOS
Threat Detection
Credential Access

Version: 6

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

process where event.type in ("start", "process_started") and process.name : "osascript" and
 process.command_line : "osascript*display dialog*password*"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Input Capture
- ID: T1056
- Reference URL: https://attack.mitre.org/techniques/T1056/
Sub-technique:
- Name: GUI Input Capture
- ID: T1056.002
- Reference URL: https://attack.mitre.org/techniques/T1056/002/

« Keychain Password Retrieval via Command Line Attempt to Remove File Quarantine Attribute »