Credential Access (TA0006)(external, opens in a new tab or window)
text code block:process where event.action == "exec" and host.os.type == "macos" and process.name == "osascript" and process.args == "-e" and process.command_line like~ ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*", "*pass*display*dialog*") and not (process.parent.executable == "/usr/bin/sudo" and process.command_line like~ "*Encryption Key Escrow*") and not (process.command_line like~ "*-e with timeout of 3600 seconds*" and user.id like "0" and process.parent.executable == "/bin/bash") and not process.Ext.effective_parent.executable like~ ("/usr/local/jamf/*", "/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon", "/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM", "/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements", "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService")
Install detection rules in Elastic Security
Detect Prompt for Credentials with Osascript in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).