Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Input Prompt

When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:

set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "") [1]

Adversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. [2]

ID: T1141

Tactic: Credential Access

Platform:  macOS

Permissions Required:  User

Data Sources:  User interface, Process monitoring

Version: 1.0

Examples

NameDescription
Calisto

Calisto presents an input prompt asking for the user's login and password.[3]

Dok

Dok prompts the user for credentials.[4]

iKitten

iKitten prompts the user for their credentials.[4]

Keydnap

Keydnap prompts the users for credentials.[5]

Proton

Proton prompts users for their credentials.[4]

Mitigation

Users need to be trained to know which programs ask for permission and why. Follow mitigation recommendations for AppleScript.

Detection

This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to detect. Monitor process execution for unusual programs as well as AppleScript that could be used to prompt users for credentials.

References