Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1056.002: GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.[1] This type of prompt can be used to collect credentials via various languages such as AppleScript[2][3][4] and PowerShell.[2][5][4] On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. Unix Shell).[4]

Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., Browser Information Discovery and/or Application Window Discovery) to spoof prompts when users are naturally accessing sensitive sites/data.

EnterpriseT1056.002Sub-techniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

GUI Input Capture matters because it turns normal user trust in operating system or application prompts into a credential collection path. Instead of breaking authentication directly, an adversary may present a believable privilege, installer, browser, email, or software login dialog and persuade the user to type credentials. For leaders, the business issue is not only malware prevention; it is whether users, endpoint telemetry, SOC workflows, and incident response can distinguish legitimate credential prompts from spoofed ones across Windows, macOS, and Linux.

Executive priority

Prioritize this as an identity and endpoint resilience risk. A single convincing prompt can produce credentials that may affect privileged access, cloud/application access, or sensitive business data, depending on where the captured credentials are reused. Executives should ask whether the organization has user training and reporting paths for suspicious prompts, whether SOC teams can investigate prompt-related credential theft quickly, and whether macOS coverage is mature enough given the number of related ATT&CK software examples on macOS. This technique also supports audit and compliance discussions around security awareness, credential protection, and incident evidence collection.

Technical view

This is ATT&CK T1056.002, a sub-technique of Input Capture under collection and credential-access for Linux, macOS, and Windows. The supplied ATT&CK description highlights spoofed operating system GUI credential prompts and spoofed browser or email authentication requests, potentially implemented through AppleScript, PowerShell, or Unix shell activity. There is no official MITRE detection text for this object, but the relationship to DET0521, Behavioral Detection of Spoofed GUI Credential Prompts, indicates that defenders should focus on behavioral detection rather than static prompt content alone. SOC and IR teams should validate telemetry for script or command-line creation of dialog boxes, unexpected credential prompts from installers or fake utilities, and suspicious timing with browser/application window discovery or sensitive site access where available.

Likely telemetry

  • Endpoint process creation and command-line telemetry for AppleScript, PowerShell, Unix shell, and scripts launched by unusual parent processes
  • macOS, Windows, and Linux endpoint security events showing suspicious or unexpected GUI prompt generation
  • Application execution history for fake installers, fake malware removal tools, trojanized utilities, or applications mimicking trusted software
  • User reports, help desk tickets, and phishing/security mailbox submissions describing unexpected credential or privilege prompts
  • Browser and email client activity context when prompts appear during access to sensitive sites, email, or business applications

Detection direction

  • Treat this as a behavior-and-context detection problem: validate DET0521-style coverage for spoofed GUI credential prompts rather than relying only on malware signatures.
  • Tune for script-driven prompt creation from AppleScript, PowerShell, and Unix shell, especially when launched by downloaded applications, installers, archive contents, or unexpected user-writable paths.
  • Correlate suspicious prompts with surrounding activity such as application window discovery, browser information discovery, fake software authentication requests, or sudden credential failures after a prompt is shown.
  • Use relationship context to prioritize macOS detection validation: multiple related software entries using this technique are macOS-focused, while Windows is also supported by ATT&CK and represented by related software.
  • Account for false positives from legitimate administrative tools, installers, support workflows, and expected operating system privilege prompts. Detection should emphasize abnormal parent process, script source, user context, timing, and application reputation rather than the existence of a prompt alone.

Mitigation priorities

  • Start with M1017 User Training: teach users to question unexpected credential or privilege prompts, especially prompts from installers, utilities, browsers, or email clients that appear out of normal workflow.
  • Provide a low-friction reporting path for suspicious prompts so SOC and help desk teams can capture screenshots, timestamps, hostnames, and user context before evidence disappears.
  • Define and communicate what legitimate administrative elevation and application authentication prompts look like in the organization, including when users should expect them and when they should stop and report.
  • Use incident response playbooks that treat reported spoofed prompts as potential credential exposure events, prompting credential review and endpoint investigation rather than closing them as generic phishing awareness issues.
  • Sequence detection engineering after training by validating script execution visibility and endpoint context on Windows, macOS, and Linux systems in scope.
Analyst notes and limits

The strongest relationship-driven signal is that this behavior sits under Input Capture and is used for credential-access and collection. ATT&CK relationships include FIN4 and RedCurl as groups and multiple software examples, with a notable concentration of macOS software such as Calisto, Keydnap, iKitten, Proton, Dok, Bundlore, XCSSET, and Cuckoo Stealer, plus Windows examples including Metamorfo, SILENTTRINITY, Mispadu, MuddyViper, and LP-Notes. These relationships support prioritizing both macOS and Windows validation, while the official platform list also includes Linux.

The supplied ATT&CK object does not include official detection guidance, procedure-level detail, or environment-specific indicators. This take does not assert active exploitation, current targeting, customer exposure, or guaranteed detection. Local evidence is required to determine whether users encounter this behavior, whether endpoint telemetry captures spoofed prompt creation, and whether SOC processes can respond before captured credentials are abused.

Official MITRE ATT&CK definition

GUI Input Capture

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control).

Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.[1] This type of prompt can be used to collect credentials via various languages such as AppleScript[2][3][4] and PowerShell.[2][5][4] On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. Unix Shell).[4]

Adversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., Browser Information Discovery and/or Application Window Discovery) to spoof prompts when users are naturally accessing sensitive sites/data.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1141 Input Prompt Input Prompt revoked by this object.
Enterprise T1056 Input Capture This object subtechnique of Input Capture.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1039: RedCurl

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

Group Enterprise

G0085: FIN4

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]

Malware Enterprise

S0455: Metamorfo

Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.[1][2]

Windows
Malware Enterprise

S0276: Keydnap

This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].

macOS
Malware Enterprise

S0482: Bundlore

Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as adware, Bundlore has many features associated with more traditional backdoors.[1]

macOS
Malware Enterprise

S1122: Mispadu

Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-a-Service (MaaS) business model.[1][2] This malware is operated, managed, and sold by the Malteiro cybercriminal group.[2] Mispadu has mainly been used to target victims in Brazil and Mexico, and has also had confirmed operations throughout Latin America and Europe.[2][3][4]

Windows
Malware Enterprise

S0658: XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]

macOS
Tool Enterprise

S0692: SILENTTRINITY

SILENTTRINITY is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. SILENTTRINITY was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Malware S0279: Proton Enterprise uses · Malware S9036: LP-Notes Enterprise uses · Malware S0278: iKitten Enterprise uses · Malware S0455: Metamorfo Enterprise revoked by · Technique T1141: Input Prompt Enterprise subtechnique of · Technique T1056: Input Capture Enterprise uses · Malware S0274: Calisto Enterprise uses · Malware S9032: MuddyViper Enterprise uses · Malware S0276: Keydnap Enterprise uses · Group G1039: RedCurl Enterprise uses · Malware S0482: Bundlore Enterprise uses · Group G0085: FIN4 Enterprise detects · Detection Strategy DET0521: Behavioral Detection of Spoofed GUI Credential Prompts Enterprise uses · Malware S0281: Dok Enterprise uses · Malware S1122: Mispadu Enterprise uses · Malware S0658: XCSSET Enterprise mitigates · Mitigation M1017: User Training Enterprise uses · Tool S0692: SILENTTRINITY Enterprise uses · Malware S1153: Cuckoo Stealer Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
06f62a2d412d4371...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle 06f62a2d412d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    OSX Malware Exploits MacKeeper

    Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.

    Open source URL
  2. [2]
    LogRhythm Do You Trust Oct 2014

    Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.

    Open source URL
  3. [3]
    OSX Keydnap malware

    Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.

    Open source URL
  4. [4]
    Spoofing credential dialogs

    Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.

    Open source URL
  5. [5]
    Enigma Phishing for Credentials Jan 2015

    Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.

    Open source URL
  6. [6]
    mitre-attack T1056.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use