DET0521 Behavioral Detection of Spoofed GUI Credential Prompts
| Item |
Value |
| ID |
DET0521 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1056.002 (GUI Input Capture)
Analytics
Windows
AN1440
Detects suspicious use of PowerShell, .NET, or script interpreters to spawn processes that mimic UAC prompts, often with credential capture dialogue boxes invoked from non-standard parent processes.
Log Sources
Mutable Elements
| Field |
Description |
| CommandLine |
Tunable to detect suspicious prompts like ‘Enter your password’ or ‘CredentialRequired’ |
| ParentProcessName |
Tune to flag UI prompts spawned from unexpected processes like cmd.exe or user scripts |
| TimeWindow |
Scope correlation of script execution and prompt appearance |
Linux
AN1441
Detects GUI-based credential prompts invoked via zenity/kdialog/dialog or X11 APIs from non-user-facing scripts or background shell sessions, often with authentication-related text.
Log Sources
Mutable Elements
| Field |
Description |
| ExecutableName |
Filter zenity/kdialog prompts launched from unexpected parent shells |
| PromptString |
Look for ‘password’, ‘authentication required’, or similar tokens |
macOS
AN1442
Detects AppleScript or Objective-C usage to generate fake authentication windows (e.g., using display dialog or NSAlert) from user-launched or persistence-related processes.
Log Sources
Mutable Elements
| Field |
Description |
| ScriptContent |
AppleScript snippets like ‘display dialog’ or ‘with hidden answer’ |
| ProcessPath |
Tune out Apple-signed and expected automation tasks |