Description
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).
Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and PowerShell.(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. Unix Shell).(Citation: Spoofing credential dialogs)
Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., Browser Information Discovery and/or Application Window Discovery) to spoof prompts when users are naturally accessing sensitive sites/data.
Platforms
Mitigations (1)
User TrainingM1017
Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) prompts the user for credentials through a Microsoft Outlook pop-up.(Citation: group-ib_redcurl1)(Cit... |
| G0085 | FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has presented victims with spoofed Windows Authentication prompts to collect their credentials.(Citation... |
Associated Software (13)
| ID | Name | Type | Context |
|---|---|---|---|
| S0279 | Proton | Malware | [Proton](https://attack.mitre.org/software/S0279) prompts users for their credentials.(Citation: objsee mac malware 2017) |
| S9036 | LP-Notes | Malware | [LP-Notes](https://attack.mitre.org/software/S9036) has displayed a fake Windows Security dialog box to prompt for Windows credentials.(Citation: ESET... |
| S0278 | iKitten | Malware | [iKitten](https://attack.mitre.org/software/S0278) prompts the user for their credentials.(Citation: objsee mac malware 2017) |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has displayed fake forms on top of banking sites to intercept credentials from victims.(Citation:... |
| S0274 | Calisto | Malware | [Calisto](https://attack.mitre.org/software/S0274) presents an input prompt asking for the user's login and password.(Citation: Symantec Calisto July ... |
| S9032 | MuddyViper | Malware | [MuddyViper](https://attack.mitre.org/software/S9032) has displayed a fake Windows Security dialog to gather credentials.(Citation: ESET_MuddyWater_De... |
| S0276 | Keydnap | Malware | [Keydnap](https://attack.mitre.org/software/S0276) prompts the users for credentials.(Citation: synack 2016 review) |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) prompts the user for their credentials.(Citation: MacKeeper Bundlore Apr 2019) |
| S0281 | Dok | Malware | [Dok](https://attack.mitre.org/software/S0281) prompts the user for credentials.(Citation: objsee mac malware 2017) |
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) can monitor browser activity for online banking actions and display full-screen overlay images to b... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) prompts the user to input credentials using a native macOS dialog box leveraging the system process ... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692)'s `credphisher.py` module can prompt a current user for their credentials.(Citation: GitHub S... |
| S1153 | Cuckoo Stealer | Malware | [Cuckoo Stealer](https://attack.mitre.org/software/S1153) has captured passwords by prompting victims with a “macOS needs to access System Settings” ... |
References
- Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.
- Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.
- Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
- Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.
- Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.
Frequently Asked Questions
What is T1056.002 (GUI Input Capture)?
T1056.002 is a MITRE ATT&CK technique named 'GUI Input Capture'. It belongs to the Collection, Credential Access tactic(s). Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are pre...
How can T1056.002 be detected?
Detection of T1056.002 (GUI Input Capture) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1056.002?
There are 1 documented mitigations for T1056.002. Key mitigations include: User Training.
Which threat groups use T1056.002?
Known threat groups using T1056.002 include: RedCurl, FIN4.