Detect GUI Input Capture in Google Chronicle
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. This includes spoofing Windows UAC dialogs, macOS authentication prompts, or application-specific login windows using scripting languages such as PowerShell, AppleScript, or shell scripts. Threat actors leverage this technique to harvest credentials without exploiting technical vulnerabilities, instead relying on user trust in familiar UI elements. Real-world examples include Proton, Calisto, Keydnap, FIN4, and RedCurl using fake dialogs to steal credentials.
MITRE ATT&CK
- Tactic
- Collection Credential Access
- Technique
- T1056 Input Capture
- Sub-technique
- T1056.002 GUI Input Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1056/002/
YARA-L Detection Query
rule t1056_002_gui_input_capture_cred_dialog {
meta:
author = "Argus Detection Engineering"
description = "Detects GUI input capture via fake credential dialogs (T1056.002). Identifies PowerShell, MSHTA, WScript, or CScript processes invoking credential prompt APIs including Get-Credential, PromptForCredential, WinForms ShowDialog, and VBScript InputBox. Adversaries use these to harvest credentials through spoofed OS dialogs."
technique = "T1056.002"
tactic = "Collection, Credential Access"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1056/002/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/
(
$e.target.process.command_line = /(?i)(get-credential|promptforcredential|credphish|credential.prompt)/ or
$e.target.process.command_line = /(?i)(system\.windows\.forms|showdialog|winforms|loadwithpartialname)/ or
$e.target.process.command_line = /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/ or
$e.target.process.command_line = /(?i)(osascript|dialogbox)/
)
condition:
$e
}
rule t1056_002_gui_input_capture_suspicious_parent {
meta:
author = "Argus Detection Engineering"
description = "Detects GUI input capture (T1056.002) where credential prompt scripts are launched from high-risk parent processes such as Office applications or browsers, indicating potential drive-by or phishing delivery."
technique = "T1056.002"
tactic = "Collection, Credential Access"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1056/002/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.full_path = /(?i)(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)$/
(
$e.target.process.command_line = /(?i)(get-credential|promptforcredential|credphish)/ or
$e.target.process.command_line = /(?i)(system\.windows\.forms|showdialog|loadwithpartialname)/ or
$e.target.process.command_line = /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/
)
$e.principal.process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|chrome\.exe|firefox\.exe|msedge\.exe)$/
condition:
$e
}Two Chronicle YARA-L 2.0 rules detecting GUI input capture (T1056.002). The first rule identifies scripting processes using credential prompt APIs regardless of parent. The second elevates severity when such scripts are launched from Office applications or browsers, indicating likely phishing delivery. Uses UDM process launch events with regex matching on command line arguments.
Data Sources
Required Tables
False Positives & Tuning
- IT automation tools using PowerShell Get-Credential as part of scripted deployment frameworks where the parent chain may include Office macros for admin workflows
- Legitimate third-party IT management software that uses WinForms dialogs for license validation or first-run configuration and is launched via browser or document link
- Internal developer tools that invoke VBScript InputBox functions for interactive script configuration, especially when run from development environments
Other platforms for T1056.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Get-Credential Fake Authentication Prompt
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Credential' and 'Out-File'. Sysmon Event ID 11: File Create for $env:TEMP\cred_capture_test.txt. PowerShell Script Block Log Event ID 4104 with the full credential capture code including the spoofed message text.
- Test 2PowerShell Windows Forms Dialog Credential Phishing
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'System.Windows.Forms', 'ShowDialog', '-WindowStyle Hidden', and 'PasswordChar'. PowerShell Script Block Log Event ID 4104 with the full WinForms credential dialog construction code. No file write occurs in this test unless modified.
- Test 3VBScript InputBox Credential Prompt via MSHTA
Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine containing 'vbscript', 'InputBox', and 'password'. Sysmon Event ID 11: File Create for %TEMP%\vbs_cred_test.txt if the user enters text. Security Event ID 4688 (if command line auditing enabled) with mshta.exe and the vbscript URL scheme.
- Test 4PowerShell PromptForCredential via Host UI (Simulated UAC Spoof)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '$host.ui.PromptForCredential' and 'administrator credentials'. PowerShell Script Block Log Event ID 4104 captures the full command including the spoofed message text that mimics a UAC prompt. No network connection in this test.
References (12)
- https://attack.mitre.org/techniques/T1056/002/
- https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
- https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/
- https://logrhythm.com/blog/do-you-trust-your-computer/
- https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/silenttrinity/modules/src/credphisher.py
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html
- https://www.fireeye.com/blog/threat-research/2014/11/fin4-stealing-insider-information.html
- https://www.symantec.com/blogs/threat-intelligence/calisto-mac-malware
- https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential
Unlock Pro Content
Get the full detection package for T1056.002 including response playbook, investigation guide, and atomic red team tests.