AI agents: see /llms.txt for a full index of this site, or /llms-full.txt for concatenated documentation.

Back
Defense EvasionExecutionUpdated Dec 5, 2025

Block Fake Password Prompts via osascript

Block osascript display dialogs that mimic system password prompts, stopping Atomic Stealer and Cthulhu Stealer from harvesting user credentials.

Idea

macOS attackers routinely use AppleScript's display dialog … with hidden answer primitive to render a system-style password prompt that asks the user to "re-enter" their password. Because the dialog is drawn by osascript — an Apple-signed binary calling into macOS UI services — it visually matches a legitimate authentication prompt: same fonts, same button chrome, same system styling. Both technical and non-technical users routinely type their login password into it.

Once captured, the password is typically used to unlock the login keychain (harvesting stored credentials, browser cookies, SSH keys) and to escalate to root via sudo.

This is the signature initial-collection step of several macOS infostealer families, including Atomic Stealer (AMOS) and Cthulhu Stealer. The canonical syntax follows this pattern (the dialog text varies across samples but the AppleScript surface is fixed):

osascript -e 'display dialog "macOS wants to make changes" default answer "" with hidden answer'

This rule blocks osascript invocations whose joined arguments contain a display dialog together with either with hidden answer or the substring password — a combination that's extremely rare in legitimate automation. See also the broader AppleScript Gatekeeper-bypass rule for blocking other dangerous osascript patterns.

Solutions

ExecutionBlock Hidden Answer Dialogs
Block osascript from showing password input dialogs
Signing ID
CEL Expression
Custom Message

Mitre Attack

Tags

osascriptpassword-promptsocial-engineering

Deployment Notes

This rule is aggressive and may block legitimate uses of osascript for password prompts. Review your environment before deploying widely.

Consider using audit-only mode initially to identify legitimate uses.

False Positive Guidance

Some IT management scripts use osascript to prompt for passwords legitimately. If you have such scripts:

  1. Rewrite them to use macOS's Authorization Services framework, which surfaces real system authentication dialogs and avoids reimplementing the prompt in script
  2. Move the workflow to a signed helper tool with its own signing ID, then allow that tool via a separate rule
  3. Use Workshop tags to exempt specific hosts or service accounts that legitimately need this functionality

Testing Instructions

  1. Trigger the rule: osascript -e 'display dialog "Enter password" default answer "" with hidden answer' (should be blocked)
  2. Verify a benign osascript call still runs: osascript -e 'display dialog "Hello"' (should work)
  3. Verify a non-password dialog still runs: osascript -e 'tell application "Finder" to display dialog "Test"' (should work)
  4. Audit your environment for legitimate uses before enforcing fleet-wide (see deployment_notes)

Detection Methods

  • Santa Execution Block Event Detect blocked attempts to show fake password prompts Query: event_type=Execution AND decision=DENY AND signing_id='platform:com.apple.osascript'

Resources

CEL Rules DocumentationTake a lookCEL Cookbook ExamplesTake a lookMITRE: GUI Input CaptureTake a look

Related Rules

Discovery PreventionExecution

Block dscl Password Validation

Block infostealers from validating stolen passwords with dscl -authonly using a Workshop CEL rule that stops the credential check at the source.

Credential ProtectionMultiple

Block Password Hash Dumping

Prevent dscl from dumping macOS user password hashes for offline cracking. Workshop combines file access and CEL rules to lock down shadow data.