Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0521: Behavioral Detection of Spoofed GUI Credential Prompts

DET0521 is a detection-strategy object for identifying spoofed graphical credential prompts associated with GUI Input Capture. The business issue is user t...

EnterpriseDET0521Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0521 is a detection-strategy object for identifying spoofed graphical credential prompts associated with GUI Input Capture. The business issue is user trust: if attackers can imitate normal operating system authentication dialogs, credentials may be handed over without malware needing to break encryption or exploit a vulnerability. For leaders, this matters because credential theft can quickly become an incident-response, identity-governance, and business-continuity problem.

Executive priority

Prioritize this as an identity and endpoint visibility validation exercise rather than as a single alert rule. Security leaders should ask whether SOC teams can distinguish legitimate privilege/authentication prompts from suspicious application-driven prompts, whether endpoint telemetry is retained for Windows, macOS, and Linux environments where the related technique applies, and whether user-reported suspicious prompts are handled as potential credential-access events. Because the ATT&CK object provides no official detection text, coverage should be evidenced through local testing, telemetry review, and incident-response playbooks rather than assumed from ATT&CK mapping alone.

Technical view

This detection strategy is mapped as detecting T1056.002, GUI Input Capture, which is associated with collection and credential-access behavior on Linux, macOS, and Windows. SOC and detection engineering teams should validate whether they can observe unusual processes presenting credential-like GUI prompts, especially where the prompt does not align with an expected operating system authorization workflow or known administrative action. IR teams should correlate suspicious prompt activity with process lineage, user session context, privilege-elevation events, authentication attempts, and any subsequent credential use. Since the detection-strategy object has no official description or detection logic, implementation must be environment-specific and should avoid assuming that every credential prompt is malicious.

Likely telemetry

  • Endpoint process creation and parent-child process lineage
  • User session and interactive logon context
  • Operating system authentication or privilege prompt events where available
  • Application/window metadata or GUI interaction telemetry where available
  • Authentication logs following suspicious prompt activity

Detection direction

  • Validate whether endpoint telemetry can connect a credential-like prompt to the responsible process and user session.
  • Tune detections around abnormal prompt origin, unexpected process lineage, unusual timing, or prompts unrelated to a known administrative workflow.
  • Correlate prompt behavior with later credential use, authentication failures, privilege changes, or access to sensitive systems.
  • Account for false positives from legitimate installers, administrative tools, software updates, remote support tools, and normal OS authorization workflows.
  • Do not claim ATT&CK coverage from the DET0521 mapping alone; require local evidence because official detection guidance is not provided in the supplied object.

Mitigation priorities

  • Strengthen user reporting paths for unexpected credential prompts and ensure SOC triage treats them as possible credential-access indicators.
  • Maintain endpoint logging sufficient to associate GUI prompts with processes, users, and authentication activity.
  • Use least privilege and controlled administrative workflows so legitimate elevation prompts are predictable and easier to distinguish from suspicious prompts.
  • Review identity monitoring and incident-response procedures for rapid credential reset, session review, and containment when prompt spoofing is suspected.
  • Document tested detection assumptions for audit and compliance evidence, especially where credential-access monitoring is a stated control objective.
Analyst notes and limits

The supplied object is a MITRE ATT&CK detection strategy, DET0521, named Behavioral Detection of Spoofed GUI Credential Prompts. It has no official description, no official detection text, and no platform or tactic fields of its own. The practical interpretation comes from its relationship indicating it detects T1056.002, GUI Input Capture, whose supplied context references spoofed operating system GUI credential prompts and applies to Linux, macOS, and Windows.

This take is constrained by sparse ATT&CK fields. It does not assert active exploitation, actor use, product coverage, or guaranteed detectability. Specific detections require local operating system behavior, endpoint sensor capability, identity logs, and knowledge of normal administrative workflows.

Official MITRE ATT&CK definition

Behavioral Detection of Spoofed GUI Credential Prompts

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1056.002 GUI Input Capture Sub-technique This object detects GUI Input Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1056.002: GUI Input Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7a91309b8208a05f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7a91309b8208…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0521
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use