Which SIEM platforms have a T1056.002 detection rule?

df00tech provides T1056.002 (GUI Input Capture) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect GUI Input Capture (T1056.002)?

Detecting GUI Input Capture requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1056.002 detection?

The T1056.002 detection is rated high severity with medium confidence.

What are common false positives for T1056.002?

Common false positives for T1056.002 include: IT helpdesk scripts using Get-Credential to prompt administrators for credentials during legitimate remote management tasks; Software installers that use PowerShell PromptForCredential to request elevated permissions before performing system changes; Internal developer tools or automation platforms that use Windows Forms dialogs to collect configuration input from operators.

T1056.002 Sumo Logic CSE · Sumo

Detect GUI Input Capture in Sumo Logic CSE

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. This includes spoofing Windows UAC dialogs, macOS authentication prompts, or application-specific login windows using scripting languages such as PowerShell, AppleScript, or shell scripts. Threat actors leverage this technique to harvest credentials without exploiting technical vulnerabilities, instead relying on user trust in familiar UI elements. Real-world examples include Proton, Calisto, Keydnap, FIN4, and RedCurl using fake dialogs to steal credentials.

MITRE ATT&CK

Tactic: Collection Credential Access
Technique: T1056 Input Capture
Sub-technique: T1056.002 GUI Input Capture
Canonical reference: https://attack.mitre.org/techniques/T1056/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where EventID = "1" OR EventID = "4688"
| where (process_name matches /(?i)(powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe)/)
| where (
    command_line matches /(?i)(get-credential|promptforcredential|credphish|credential.prompt)/ OR
    command_line matches /(?i)(system\.windows\.forms|showdialog|winforms|loadwithpartialname)/ OR
    command_line matches /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/ OR
    command_line matches /(?i)(osascript|dialogbox)/
  )
| eval get_credential = if(command_line matches /(?i)(get-credential|promptforcredential|credphish)/, 1, 0)
| eval winforms_dialog = if(command_line matches /(?i)(system\.windows\.forms|showdialog|loadwithpartialname)/, 1, 0)
| eval vb_inputbox = if(command_line matches /(?i)(inputbox|microsoft\.visualbasic|visualbasic\.interaction)/, 1, 0)
| eval hidden_execution = if(command_line matches /(?i)(-windowstyle\s+hidden|-w\s+hidden|-noninteractive)/, 1, 0)
| eval suspicious_parent = if(parent_process matches /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|chrome\.exe|firefox\.exe|msedge\.exe)/, 1, 0)
| eval credphish_score = get_credential + winforms_dialog + vb_inputbox + hidden_execution + suspicious_parent
| where credphish_score > 0
| eval prompt_type = if(get_credential = 1, "Get-Credential/PromptForCredential",
    if(winforms_dialog = 1, "WinForms ShowDialog",
    if(vb_inputbox = 1, "VBScript InputBox", "Generic Credential Prompt")))
| fields _messagetime, host, user, process_name, command_line, parent_process, prompt_type, get_credential, winforms_dialog, vb_inputbox, hidden_execution, suspicious_parent, credphish_score
| sort by credphish_score desc, _messagetime desc

high severity high confidence

Sumo Logic query detecting GUI input capture (T1056.002) by identifying scripting processes invoking credential prompt APIs. Scores each event across five behavioral indicators — Get-Credential/PromptForCredential use, WinForms dialog invocations, VBScript InputBox calls, hidden execution flags, and suspicious parent processes — and surfaces the highest-risk events first.

Data Sources

Sysmon for Windows (EventID 1)Windows Security Event Log (EventID 4688)Sumo Logic Cloud SIEM Windows source

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

PowerShell-based onboarding or HR systems that display Get-Credential prompts to collect initial Active Directory credentials for new employee accounts
Security awareness training platforms that simulate phishing scenarios using WinForms dialogs as part of controlled exercises
Monitoring and observability agents that use WinForms or PowerShell dialogs for interactive configuration during initial setup on managed endpoints

Download portable Sigma rule (.yml)

Other platforms for T1056.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerShell Get-Credential Fake Authentication Prompt
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-Credential' and 'Out-File'. Sysmon Event ID 11: File Create for $env:TEMP\cred_capture_test.txt. PowerShell Script Block Log Event ID 4104 with the full credential capture code including the spoofed message text.
Test 2PowerShell Windows Forms Dialog Credential Phishing
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'System.Windows.Forms', 'ShowDialog', '-WindowStyle Hidden', and 'PasswordChar'. PowerShell Script Block Log Event ID 4104 with the full WinForms credential dialog construction code. No file write occurs in this test unless modified.
Test 3VBScript InputBox Credential Prompt via MSHTA
Expected signal: Sysmon Event ID 1: Process Create with Image=mshta.exe, CommandLine containing 'vbscript', 'InputBox', and 'password'. Sysmon Event ID 11: File Create for %TEMP%\vbs_cred_test.txt if the user enters text. Security Event ID 4688 (if command line auditing enabled) with mshta.exe and the vbscript URL scheme.
Test 4PowerShell PromptForCredential via Host UI (Simulated UAC Spoof)
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '$host.ui.PromptForCredential' and 'administrator credentials'. PowerShell Script Block Log Event ID 4104 captures the full command including the spoofed message text that mimics a UAC prompt. No network connection in this test.

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1056.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect GUI Input Capture in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1056.002

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1056.002

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox