This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Potential macOS SSH Brute Force Detected SystemKey Access via Command Line »

› ›

Prompt for Credentials with OSASCRIPT

edit

Prompt for Credentials with OSASCRIPT

edit

Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.

Rule type: eql

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
macOS
Threat Detection
Credential Access

Version: 101

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

process where event.type in ("start", "process_started") and process.name : "osascript" and
 process.command_line : "osascript*display dialog*password*"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Input Capture
- ID: T1056
- Reference URL: https://attack.mitre.org/techniques/T1056/
Sub-technique:
- Name: GUI Input Capture
- ID: T1056.002
- Reference URL: https://attack.mitre.org/techniques/T1056/002/

« Potential macOS SSH Brute Force Detected SystemKey Access via Command Line »