|Platform||MacOS, OS X|
|Data Sources||User interface, Process Monitoring|
When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:
set thePassword to the text returned of (display dialog "AdobeUpdater needs permission to check for updates. Please authenticate." default answer "")
Adversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.2
Users need to be trained to know which programs ask for permission and why. Follow mitigation recommendations for AppleScript.
This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to detect. Monitor process execution for unusual programs as well as AppleScript that could be used to prompt users for credentials.