T1056.002

GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. This includes spoofing Windows UAC dialogs, macOS authentication prompts, or application-specific login windows using scripting languages such as PowerShell, AppleScript, or shell scripts. Threat actors leverage this technique to harvest credentials without exploiting technical vulnerabilities, instead relying on user trust in familiar UI elements. Real-world examples include Proton, Calisto, Keydnap, FIN4, and RedCurl using fake dialogs to steal credentials.

Microsoft Sentinel / Defender

kusto

let CredPhishPatterns = dynamic([
  "PromptForCredential",
  "Get-Credential",
  "credphish",
  "credential prompt",
  "DialogBox",
  "WinForms",
  "System.Windows.Forms",
  "[System.Reflection.Assembly]::LoadWithPartialName",
  "ShowDialog",
  "InputBox",
  "VisualBasic.Interaction",
  "Microsoft.VisualBasic",
  "osascript"
]);
let SuspiciousParents = dynamic([
  "wscript.exe", "cscript.exe", "mshta.exe",
  "rundll32.exe", "regsvr32.exe",
  "winword.exe", "excel.exe", "powerpnt.exe",
  "outlook.exe", "msedge.exe", "chrome.exe", "firefox.exe"
]);
// PowerShell-based credential prompt detection
let PSCredPrompt = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (CredPhishPatterns)
| extend PromptType = case(
    ProcessCommandLine has "Get-Credential", "Get-Credential API",
    ProcessCommandLine has "PromptForCredential", "Host.PromptForCredential",
    ProcessCommandLine has "System.Windows.Forms", "WinForms Dialog",
    ProcessCommandLine has "VisualBasic", "VB InputBox",
    ProcessCommandLine has "ShowDialog", "WPF/WinForms ShowDialog",
    "Unknown Prompt Pattern"
  )
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend HiddenExecution = ProcessCommandLine has_any ("-WindowStyle Hidden", "-w hidden", "-NonInteractive")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PromptType, SuspiciousParent, HiddenExecution
| extend Source = "PowerShell";
// cmd/wscript-based dialog prompt detection (mshta, VBScript InputBox)
let ScriptCredPrompt = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("mshta.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("InputBox", "PromptForCredential", "PasswordInputPrompt", "credential", "password")
| extend PromptType = "Script-based InputBox"
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend HiddenExecution = false
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         PromptType, SuspiciousParent, HiddenExecution
| extend Source = "Script";
// Union results
PSCredPrompt
| union ScriptCredPrompt
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT helpdesk scripts using Get-Credential to prompt administrators for credentials during legitimate remote management tasks
Software installers that use PowerShell PromptForCredential to request elevated permissions before performing system changes
Internal developer tools or automation platforms that use Windows Forms dialogs to collect configuration input from operators
Password management applications that use ShowDialog or similar APIs as part of their legitimate credential management UI

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\mshta.exe" OR Image="*\\wscript.exe" OR Image="*\\cscript.exe")
| eval CommandLine=lower(CommandLine)
| eval GetCredential=if(match(CommandLine, "(get-credential|promptforcredential|credphish)"), 1, 0)
| eval WinFormsDialog=if(match(CommandLine, "(system\.windows\.forms|showdialog|winforms|loadwithpartialname)"), 1, 0)
| eval VBInputBox=if(match(CommandLine, "(inputbox|microsoft\.visualbasic|visualbasic\.interaction)"), 1, 0)
| eval HiddenExecution=if(match(CommandLine, "(-windowstyle\s+hidden|-w\s+hidden|-noninteractive)"), 1, 0)
| eval SuspiciousParent=if(match(lower(ParentImage), "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|chrome\.exe|firefox\.exe|msedge\.exe)"), 1, 0)
| eval CredPhishScore=GetCredential + WinFormsDialog + VBInputBox + HiddenExecution + SuspiciousParent
| where CredPhishScore > 0
| eval PromptType=case(
    GetCredential=1, "Get-Credential / PromptForCredential",
    WinFormsDialog=1, "WinForms ShowDialog",
    VBInputBox=1, "VBScript InputBox",
    1=1, "Generic Credential Prompt"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, PromptType, GetCredential, WinFormsDialog, VBInputBox, HiddenExecution, SuspiciousParent, CredPhishScore
| sort - CredPhishScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk scripts using Get-Credential to prompt administrators for credentials during legitimate remote management tasks
Software installers that use PowerShell PromptForCredential to request elevated permissions before performing system changes
Internal developer tools or automation platforms that use Windows Forms dialogs to collect configuration input from operators
Password management applications that use ShowDialog or similar APIs as part of their legitimate credential management UI

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "hostname",
  LOWER("Process Name") AS process_name,
  LOWER("Command") AS command_line,
  LOWER("Parent Process") AS parent_process,
  CASE
    WHEN LOWER("Command") ILIKE '%get-credential%' OR LOWER("Command") ILIKE '%promptforcredential%' OR LOWER("Command") ILIKE '%credphish%' THEN 'Get-Credential/PromptForCredential'
    WHEN LOWER("Command") ILIKE '%system.windows.forms%' OR LOWER("Command") ILIKE '%showdialog%' OR LOWER("Command") ILIKE '%loadwithpartialname%' THEN 'WinForms Dialog'
    WHEN LOWER("Command") ILIKE '%inputbox%' OR LOWER("Command") ILIKE '%microsoft.visualbasic%' OR LOWER("Command") ILIKE '%visualbasic.interaction%' THEN 'VBScript InputBox'
    ELSE 'Generic Credential Prompt'
  END AS prompt_type,
  CASE
    WHEN LOWER("Command") ILIKE '%-windowstyle hidden%' OR LOWER("Command") ILIKE '%-w hidden%' OR LOWER("Command") ILIKE '%-noninteractive%' THEN 1
    ELSE 0
  END AS hidden_execution,
  CASE
    WHEN LOWER("Parent Process") ILIKE '%winword.exe%' OR LOWER("Parent Process") ILIKE '%excel.exe%'
      OR LOWER("Parent Process") ILIKE '%powerpnt.exe%' OR LOWER("Parent Process") ILIKE '%outlook.exe%'
      OR LOWER("Parent Process") ILIKE '%mshta.exe%' OR LOWER("Parent Process") ILIKE '%wscript.exe%'
      OR LOWER("Parent Process") ILIKE '%cscript.exe%' OR LOWER("Parent Process") ILIKE '%rundll32.exe%'
      OR LOWER("Parent Process") ILIKE '%regsvr32.exe%' OR LOWER("Parent Process") ILIKE '%chrome.exe%'
      OR LOWER("Parent Process") ILIKE '%firefox.exe%' OR LOWER("Parent Process") ILIKE '%msedge.exe%' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE LOGSOURCETYPEID IN (13 /* Sysmon */, 12 /* Microsoft Windows Security Event Log */)
  AND qid = (SELECT qid FROM qidmap WHERE qidname = 'Process Create' LIMIT 1)
  AND (
    LOWER("Process Name") ILIKE '%powershell.exe%'
    OR LOWER("Process Name") ILIKE '%pwsh.exe%'
    OR LOWER("Process Name") ILIKE '%mshta.exe%'
    OR LOWER("Process Name") ILIKE '%wscript.exe%'
    OR LOWER("Process Name") ILIKE '%cscript.exe%'
  )
  AND (
    LOWER("Command") ILIKE '%get-credential%'
    OR LOWER("Command") ILIKE '%promptforcredential%'
    OR LOWER("Command") ILIKE '%credphish%'
    OR LOWER("Command") ILIKE '%system.windows.forms%'
    OR LOWER("Command") ILIKE '%showdialog%'
    OR LOWER("Command") ILIKE '%loadwithpartialname%'
    OR LOWER("Command") ILIKE '%inputbox%'
    OR LOWER("Command") ILIKE '%microsoft.visualbasic%'
    OR LOWER("Command") ILIKE '%visualbasic.interaction%'
    OR LOWER("Command") ILIKE '%osascript%'
    OR LOWER("Command") ILIKE '%dialogbox%'
  )
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY starttime DESC

high severity high confidence

Data Sources

Microsoft Windows Sysmon (LOGSOURCETYPEID 13) Microsoft Windows Security Event Log (LOGSOURCETYPEID 12)

Required Tables

events

False Positives

Automated IT provisioning scripts using Get-Credential or PromptForCredential to collect service account credentials during scheduled maintenance windows
Internal ITSM tooling that launches PowerShell dialogs for multi-factor prompts or helpdesk credential reset workflows
Enterprise software installers using WinForms-based setup wizards that collect license or user credentials during deployment

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventID = "1" OR EventID = "4688"
| where (process_name matches /(?i)(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)/)
| where (
    command_line matches /(?i)(get-credential|promptforcredential|credphish|credential.prompt)/ OR
    command_line matches /(?i)(system\.windows\.forms|showdialog|winforms|loadwithpartialname)/ OR
    command_line matches /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/ OR
    command_line matches /(?i)(osascript|dialogbox)/
  )
| eval get_credential = if(command_line matches /(?i)(get-credential|promptforcredential|credphish)/, 1, 0)
| eval winforms_dialog = if(command_line matches /(?i)(system\.windows\.forms|showdialog|loadwithpartialname)/, 1, 0)
| eval vb_inputbox = if(command_line matches /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/, 1, 0)
| eval hidden_execution = if(command_line matches /(?i)(-windowstyle\s+hidden|-w\s+hidden|-noninteractive)/, 1, 0)
| eval suspicious_parent = if(parent_process matches /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|chrome\.exe|firefox\.exe|msedge\.exe)/, 1, 0)
| eval credphish_score = get_credential + winforms_dialog + vb_inputbox + hidden_execution + suspicious_parent
| where credphish_score > 0
| eval prompt_type = if(get_credential = 1, "Get-Credential/PromptForCredential",
    if(winforms_dialog = 1, "WinForms ShowDialog",
    if(vb_inputbox = 1, "VBScript InputBox", "Generic Credential Prompt")))
| fields _messagetime, host, user, process_name, command_line, parent_process, prompt_type, get_credential, winforms_dialog, vb_inputbox, hidden_execution, suspicious_parent, credphish_score
| sort by credphish_score desc, _messagetime desc

high severity high confidence

Data Sources

Sysmon for Windows (EventID 1) Windows Security Event Log (EventID 4688) Sumo Logic Cloud SIEM Windows source

Required Tables

windows/sysmon windows/security

False Positives

PowerShell-based onboarding or HR systems that display Get-Credential prompts to collect initial Active Directory credentials for new employee accounts
Security awareness training platforms that simulate phishing scenarios using WinForms dialogs as part of controlled exercises
Monitoring and observability agents that use WinForms or PowerShell dialogs for interactive configuration during initial setup on managed endpoints

Google Chronicle / SecOps

yaral

rule t1056_002_gui_input_capture_cred_dialog {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects GUI input capture via fake credential dialogs (T1056.002). Identifies PowerShell, MSHTA, WScript, or CScript processes invoking credential prompt APIs including Get-Credential, PromptForCredential, WinForms ShowDialog, and VBScript InputBox. Adversaries use these to harvest credentials through spoofed OS dialogs."
    technique = "T1056.002"
    tactic = "Collection, Credential Access"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1056/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/
    (
      $e.target.process.command_line = /(?i)(get-credential|promptforcredential|credphish|credential.prompt)/ or
      $e.target.process.command_line = /(?i)(system\.windows\.forms|showdialog|winforms|loadwithpartialname)/ or
      $e.target.process.command_line = /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/ or
      $e.target.process.command_line = /(?i)(osascript|dialogbox)/
    )

  condition:
    $e
}

rule t1056_002_gui_input_capture_suspicious_parent {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects GUI input capture (T1056.002) where credential prompt scripts are launched from high-risk parent processes such as Office applications or browsers, indicating potential drive-by or phishing delivery."
    technique = "T1056.002"
    tactic = "Collection, Credential Access"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1056/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/
    (
      $e.target.process.command_line = /(?i)(get-credential|promptforcredential|credphish)/ or
      $e.target.process.command_line = /(?i)(system\.windows\.forms|showdialog|loadwithpartialname)/ or
      $e.target.process.command_line = /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/
    )
    $e.principal.process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|chrome\.exe|firefox\.exe|msedge\.exe)$/

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint telemetry via Chronicle forwarder Sysmon logs ingested to Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

IT automation tools using PowerShell Get-Credential as part of scripted deployment frameworks where the parent chain may include Office macros for admin workflows
Legitimate third-party IT management software that uses WinForms dialogs for license validation or first-run configuration and is launched via browser or document link
Internal developer tools that invoke VBScript InputBox functions for interactive script configuration, especially when run from development environments

CrowdStrike LogScale (CQL)

cql

// GUI Input Capture — Credential Dialog Detection (T1056.002)
// Primary: credential prompt API invocations
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(\\powershell\.exe|\\pwsh\.exe|\\mshta\.exe|\\wscript\.exe|\\cscript\.exe)$/
| CommandLine = /(?i)(get-credential|promptforcredential|credphish|credential.prompt|system\.windows\.forms|showdialog|loadwithpartialname|inputbox|microsoft\.visualbasic|visualbasic\.interaction|osascript|dialogbox)/i
| eval GetCredential = if(CommandLine = /(?i)(get-credential|promptforcredential|credphish)/, "1", "0")
| eval WinFormsDialog = if(CommandLine = /(?i)(system\.windows\.forms|showdialog|loadwithpartialname)/, "1", "0")
| eval VBInputBox = if(CommandLine = /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/, "1", "0")
| eval HiddenExecution = if(CommandLine = /(?i)(-windowstyle\s+hidden|-w\s+hidden|-noninteractive)/, "1", "0")
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|chrome\.exe|firefox\.exe|msedge\.exe)/, "1", "0")
| eval CredPhishScore = toint(GetCredential) + toint(WinFormsDialog) + toint(VBInputBox) + toint(HiddenExecution) + toint(SuspiciousParent)
| eval PromptType = case(
    GetCredential = "1", "Get-Credential / PromptForCredential",
    WinFormsDialog = "1", "WinForms ShowDialog",
    VBInputBox = "1", "VBScript InputBox",
    true(), "Generic Credential Prompt"
  )
| where CredPhishScore > 0
| fields timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, PromptType, GetCredential, WinFormsDialog, VBInputBox, HiddenExecution, SuspiciousParent, CredPhishScore
| sort(field=CredPhishScore, order=desc)
| sort(field=timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight XDR Falcon sensor process telemetry (ProcessRollup2)

Required Tables

ProcessRollup2

False Positives

CrowdStrike-managed endpoints running PowerShell-based endpoint deployment scripts that use Get-Credential to collect service account credentials during enterprise software provisioning
Internal ITSM or helpdesk automation tools that invoke PowerShell WinForms dialogs for credential collection as part of approved password reset workflows
Software testing frameworks (e.g., Pester, Selenium wrappers) that invoke credential dialog functions in CI/CD pipelines on developer workstations managed by Falcon

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1056.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

GUI Input Capture

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections