Detects suspicious use of PowerShell, .NET, or script interpreters to spawn processes that mimic UAC prompts, often with credential capture dialogue boxes invoked from non-standard parent processes.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| CommandLine | Tunable to detect suspicious prompts like 'Enter your password' or 'CredentialRequired' |
| ParentProcessName | Tune to flag UI prompts spawned from unexpected processes like cmd.exe or user scripts |
| TimeWindow | Scope correlation of script execution and prompt appearance |
Detects GUI-based credential prompts invoked via zenity/kdialog/dialog or X11 APIs from non-user-facing scripts or background shell sessions, often with authentication-related text.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Command Execution (DC0064) | linux:cli | Terminal Command History |
| Field | Description |
|---|---|
| ExecutableName | Filter zenity/kdialog prompts launched from unexpected parent shells |
| PromptString | Look for 'password', 'authentication required', or similar tokens |
Detects AppleScript or Objective-C usage to generate fake authentication windows (e.g., using display dialog or NSAlert) from user-launched or persistence-related processes.
| Data Component | Name | Channel |
|---|---|---|
| Script Execution (DC0029) | macos:unifiedlog | subsystem=com.apple.Security or com.apple.applescript |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| ScriptContent | AppleScript snippets like 'display dialog' or 'with hidden answer' |
| ProcessPath | Tune out Apple-signed and expected automation tasks |