T1056.002 IBM QRadar · QRadar

Detect GUI Input Capture in IBM QRadar

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. This includes spoofing Windows UAC dialogs, macOS authentication prompts, or application-specific login windows using scripting languages such as PowerShell, AppleScript, or shell scripts. Threat actors leverage this technique to harvest credentials without exploiting technical vulnerabilities, instead relying on user trust in familiar UI elements. Real-world examples include Proton, Calisto, Keydnap, FIN4, and RedCurl using fake dialogs to steal credentials.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.002 GUI Input Capture
Canonical reference
https://attack.mitre.org/techniques/T1056/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  "hostname",
  LOWER("Process Name") AS process_name,
  LOWER("Command") AS command_line,
  LOWER("Parent Process") AS parent_process,
  CASE
    WHEN LOWER("Command") ILIKE '%get-credential%' OR LOWER("Command") ILIKE '%promptforcredential%' OR LOWER("Command") ILIKE '%credphish%' THEN 'Get-Credential/PromptForCredential'
    WHEN LOWER("Command") ILIKE '%system.windows.forms%' OR LOWER("Command") ILIKE '%showdialog%' OR LOWER("Command") ILIKE '%loadwithpartialname%' THEN 'WinForms Dialog'
    WHEN LOWER("Command") ILIKE '%inputbox%' OR LOWER("Command") ILIKE '%microsoft.visualbasic%' OR LOWER("Command") ILIKE '%visualbasic.interaction%' THEN 'VBScript InputBox'
    ELSE 'Generic Credential Prompt'
  END AS prompt_type,
  CASE
    WHEN LOWER("Command") ILIKE '%-windowstyle hidden%' OR LOWER("Command") ILIKE '%-w hidden%' OR LOWER("Command") ILIKE '%-noninteractive%' THEN 1
    ELSE 0
  END AS hidden_execution,
  CASE
    WHEN LOWER("Parent Process") ILIKE '%winword.exe%' OR LOWER("Parent Process") ILIKE '%excel.exe%'
      OR LOWER("Parent Process") ILIKE '%powerpnt.exe%' OR LOWER("Parent Process") ILIKE '%outlook.exe%'
      OR LOWER("Parent Process") ILIKE '%mshta.exe%' OR LOWER("Parent Process") ILIKE '%wscript.exe%'
      OR LOWER("Parent Process") ILIKE '%cscript.exe%' OR LOWER("Parent Process") ILIKE '%rundll32.exe%'
      OR LOWER("Parent Process") ILIKE '%regsvr32.exe%' OR LOWER("Parent Process") ILIKE '%chrome.exe%'
      OR LOWER("Parent Process") ILIKE '%firefox.exe%' OR LOWER("Parent Process") ILIKE '%msedge.exe%' THEN 1
    ELSE 0
  END AS suspicious_parent
FROM events
WHERE LOGSOURCETYPEID IN (13 /* Sysmon */, 12 /* Microsoft Windows Security Event Log */)
  AND qid = (SELECT qid FROM qidmap WHERE qidname = 'Process Create' LIMIT 1)
  AND (
    LOWER("Process Name") ILIKE '%powershell.exe%'
    OR LOWER("Process Name") ILIKE '%pwsh.exe%'
    OR LOWER("Process Name") ILIKE '%mshta.exe%'
    OR LOWER("Process Name") ILIKE '%wscript.exe%'
    OR LOWER("Process Name") ILIKE '%cscript.exe%'
  )
  AND (
    LOWER("Command") ILIKE '%get-credential%'
    OR LOWER("Command") ILIKE '%promptforcredential%'
    OR LOWER("Command") ILIKE '%credphish%'
    OR LOWER("Command") ILIKE '%system.windows.forms%'
    OR LOWER("Command") ILIKE '%showdialog%'
    OR LOWER("Command") ILIKE '%loadwithpartialname%'
    OR LOWER("Command") ILIKE '%inputbox%'
    OR LOWER("Command") ILIKE '%microsoft.visualbasic%'
    OR LOWER("Command") ILIKE '%visualbasic.interaction%'
    OR LOWER("Command") ILIKE '%osascript%'
    OR LOWER("Command") ILIKE '%dialogbox%'
  )
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY starttime DESC
high severity high confidence

QRadar AQL query detecting GUI input capture (T1056.002) by identifying PowerShell, MSHTA, WScript, and CScript command lines containing credential phishing API calls (Get-Credential, PromptForCredential, WinForms ShowDialog, VBScript InputBox). Scores events by prompt type, hidden execution flags, and suspicious parent processes. Covers both Sysmon and Windows Security Event Log sources.

Data Sources

Microsoft Windows Sysmon (LOGSOURCETYPEID 13)Microsoft Windows Security Event Log (LOGSOURCETYPEID 12)

Required Tables

events

False Positives & Tuning

  • Automated IT provisioning scripts using Get-Credential or PromptForCredential to collect service account credentials during scheduled maintenance windows
  • Internal ITSM tooling that launches PowerShell dialogs for multi-factor prompts or helpdesk credential reset workflows
  • Enterprise software installers using WinForms-based setup wizards that collect license or user credentials during deployment
Download portable Sigma rule (.yml)

Other platforms for T1056.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Get-Credential Fake Authentication Prompt

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Credential' and 'Out-File'. Sysmon Event ID 11: File Create for $env:TEMP\cred_capture_test.txt. PowerShell Script Block Log Event ID 4104 with the full credential capture code including the spoofed message text.

  2. Test 2PowerShell Windows Forms Dialog Credential Phishing

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'System.Windows.Forms', 'ShowDialog', '-WindowStyle Hidden', and 'PasswordChar'. PowerShell Script Block Log Event ID 4104 with the full WinForms credential dialog construction code. No file write occurs in this test unless modified.

  3. Test 3VBScript InputBox Credential Prompt via MSHTA

    Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine containing 'vbscript', 'InputBox', and 'password'. Sysmon Event ID 11: File Create for %TEMP%\vbs_cred_test.txt if the user enters text. Security Event ID 4688 (if command line auditing enabled) with mshta.exe and the vbscript URL scheme.

  4. Test 4PowerShell PromptForCredential via Host UI (Simulated UAC Spoof)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '$host.ui.PromptForCredential' and 'administrator credentials'. PowerShell Script Block Log Event ID 4104 captures the full command including the spoofed message text that mimics a UAC prompt. No network connection in this test.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1056.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.003Web Portal CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1059.001PowerShellT1059.002AppleScriptT1059.004Unix ShellT1548.002Bypass User Account ControlT1204.002Malicious FileT1566.001Spearphishing AttachmentT1010Application Window DiscoveryT1217Browser Information Discovery

Same Tactic: Collection

Popular Detections