Input Prompt

When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:

set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "") [1]

Adversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. [2]

ID: T1141

Tactic: Credential Access

Platform:  macOS

Permissions Required:  User

Data Sources:  User interface, Process monitoring

Version: 1.0



Calisto presents an input prompt asking for the user's login and password.[3]


Dok prompts the user for credentials.[4]


iKitten prompts the user for their credentials.[4]


Keydnap prompts the users for credentials.[5]


Proton prompts users for their credentials.[4]


Users need to be trained to know which programs ask for permission and why. Follow mitigation recommendations for AppleScript.


This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to detect. Monitor process execution for unusual programs as well as AppleScript that could be used to prompt users for credentials.