Input Capture: GUI Input Capture, Sub-technique T1056.002 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Input Capture: GUI Input Capture, Sub-technique T1056.002 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1056">Input Capture</a></li> <li class="breadcrumb-item">GUI Input Capture</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Input Capture:</span> GUI Input Capture </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Input Capture (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1056/001/" class="subtechnique-table-item" data-subtechnique_id="T1056.001"> T1056.001 </a> </td> <td> <a href="/techniques/T1056/001/" class="subtechnique-table-item" data-subtechnique_id="T1056.001"> Keylogging </a> </td> </tr> <tr> <td class="active"> T1056.002 </td> <td class="active"> GUI Input Capture </td> </tr> <tr> <td> <a href="/techniques/T1056/003/" class="subtechnique-table-item" data-subtechnique_id="T1056.003"> T1056.003 </a> </td> <td> <a href="/techniques/T1056/003/" class="subtechnique-table-item" data-subtechnique_id="T1056.003"> Web Portal Capture </a> </td> </tr> <tr> <td> <a href="/techniques/T1056/004/" class="subtechnique-table-item" data-subtechnique_id="T1056.004"> T1056.004 </a> </td> <td> <a href="/techniques/T1056/004/" class="subtechnique-table-item" data-subtechnique_id="T1056.004"> Credential API Hooking </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: <a href="/techniques/T1548/002">Bypass User Account Control</a>).</p><p>Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017."data-reference="OSX Malware Exploits MacKeeper"><sup><a href="https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> This type of prompt can be used to collect credentials via various languages such as <a href="/techniques/T1059/002">AppleScript</a><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018."data-reference="LogRhythm Do You Trust Oct 2014"><sup><a href="https://logrhythm.com/blog/do-you-trust-your-computer/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017."data-reference="OSX Keydnap malware"><sup><a href="https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021."data-reference="Spoofing credential dialogs"><sup><a href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> and <a href="/techniques/T1059/001">PowerShell</a>.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018."data-reference="LogRhythm Do You Trust Oct 2014"><sup><a href="https://logrhythm.com/blog/do-you-trust-your-computer/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018."data-reference="Enigma Phishing for Credentials Jan 2015"><sup><a href="https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021."data-reference="Spoofing credential dialogs"><sup><a href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. <a href="/techniques/T1059/004">Unix Shell</a>).<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021."data-reference="Spoofing credential dialogs"><sup><a href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p><p>Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., <a href="/techniques/T1217">Browser Information Discovery</a> and/or <a href="/techniques/T1010">Application Window Discovery</a>) to spoof prompts when users are naturally accessing sensitive sites/data.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1056.002 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of: </span> <a href="/techniques/T1056">T1056</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/tactics/TA0009">Collection</a>, <a href="/tactics/TA0006">Credential Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Matthew Molyett, @s1air, Cisco Talos </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.3 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>11 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>15 April 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1056.002" href="/versions/v16/techniques/T1056/002/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1056.002" href="/versions/v16/techniques/T1056/002/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0482"> S0482 </a> </td> <td> <a href="/software/S0482"> Bundlore </a> </td> <td> <p><a href="/software/S0482">Bundlore</a> prompts the user for their credentials.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."data-reference="MacKeeper Bundlore Apr 2019"><sup><a href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0274"> S0274 </a> </td> <td> <a href="/software/S0274"> Calisto </a> </td> <td> <p><a href="/software/S0274">Calisto</a> presents an input prompt asking for the user's login and password.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018."data-reference="Symantec Calisto July 2018"><sup><a href="https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S1153"> S1153 </a> </td> <td> <a href="/software/S1153"> Cuckoo Stealer </a> </td> <td> <p><a href="/software/S1153">Cuckoo Stealer</a> has captured passwords by prompting victims with a "macOS needs to access System Settings" GUI window.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024."data-reference="Kandji Cuckoo April 2024"><sup><a href="https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0281"> S0281 </a> </td> <td> <a href="/software/S0281"> Dok </a> </td> <td> <p><a href="/software/S0281">Dok</a> prompts the user for credentials.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017"><sup><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0085"> G0085 </a> </td> <td> <a href="/groups/G0085"> FIN4 </a> </td> <td> <p><a href="/groups/G0085">FIN4</a> has presented victims with spoofed Windows Authentication prompts to collect their credentials.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018."data-reference="FireEye Hacking FIN4 Dec 2014"><sup><a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019."data-reference="FireEye Hacking FIN4 Video Dec 2014"><sup><a href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0278"> S0278 </a> </td> <td> <a href="/software/S0278"> iKitten </a> </td> <td> <p><a href="/software/S0278">iKitten</a> prompts the user for their credentials.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017"><sup><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0276"> S0276 </a> </td> <td> <a href="/software/S0276"> Keydnap </a> </td> <td> <p><a href="/software/S0276">Keydnap</a> prompts the users for credentials.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018."data-reference="synack 2016 review"><sup><a href="https://objective-see.org/blog/blog_0x16.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0455"> S0455 </a> </td> <td> <a href="/software/S0455"> Metamorfo </a> </td> <td> <p><a href="/software/S0455">Metamorfo</a> has displayed fake forms on top of banking sites to intercept credentials from victims.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020."data-reference="FireEye Metamorfo Apr 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/software/S1122"> S1122 </a> </td> <td> <a href="/software/S1122"> Mispadu </a> </td> <td> <p><a href="/software/S1122">Mispadu</a> can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Pedro Tavares (Seguran莽a Inform谩tica). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024."data-reference="Seguran莽a Inform谩tica URSA Sophisticated Loader 2020"><sup><a href="https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024."data-reference="SCILabs Malteiro 2021"><sup><a href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0279"> S0279 </a> </td> <td> <a href="/software/S0279"> Proton </a> </td> <td> <p><a href="/software/S0279">Proton</a> prompts users for their credentials.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017"><sup><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G1039"> G1039 </a> </td> <td> <a href="/groups/G1039"> RedCurl </a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> prompts the user for credentials through a Microsoft Outlook pop-up.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><sup><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0692"> S0692 </a> </td> <td> <a href="/software/S0692"> SILENTTRINITY </a> </td> <td> <p><a href="/software/S0692">SILENTTRINITY</a>'s <code>credphisher.py</code> module can prompt a current user for their credentials.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019"><sup><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0658"> S0658 </a> </td> <td> <a href="/software/S0658"> XCSSET </a> </td> <td> <p><a href="/software/S0658">XCSSET</a> prompts the user to input credentials using a native macOS dialog box leveraging the system process <code>/Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment</code>.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021."data-reference="trendmicro xcsset xcode project 2020"><sup><a href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1017"> M1017 </a> </td> <td> <a href="/mitigations/M1017"> User Training </a> </td> <td> <p>Use user training as a way to bring awareness and raise suspicion for potentially malicious events and dialog boxes (ex: Office documents prompting for credentials).</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments, such as requests for credentials and/or strings related to creating password prompts that may be malicious.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021."data-reference="Spoofing credential dialogs"><sup><a href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly executed processes </p> </td> </tr> <tr class="datasource" id="uses-DS0012"> <td> <a href="/datasources/DS0012">DS0012</a> </td> <td class="nowrap"> <a href="/datasources/DS0012">Script</a> </td>  <td> <a href="/datasources/DS0012/#Script%20Execution">Script Execution</a> </td> <td> <p>Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html" target="_blank"> Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://logrhythm.com/blog/do-you-trust-your-computer/" target="_blank"> Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/" target="_blank"> Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/" target="_blank"> Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/" target="_blank"> Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank"> Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank"> Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" target="_blank"> Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank"> Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="11.0"> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank"> Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://objective-see.org/blog/blog_0x16.html" target="_blank"> Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank"> Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/" target="_blank"> Pedro Tavares (Seguran莽a Inform谩tica). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank"> SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn鈥檛 Know About. Retrieved August 9, 2024. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank"> Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Input Capture: GUI Input Capture, Sub-technique T1056.002 - Enterprise | MITRE ATT&CK®