{
	"id": "78c9cc49-783a-436f-8e82-df1fffc8ab26",
	"created_at": "2026-04-06T00:18:42.557735Z",
	"updated_at": "2026-04-10T03:20:49.286783Z",
	"deleted_at": null,
	"sha1_hash": "c0c87f3b36afba58545bb39a9f3dbe3e41047a31",
	"title": "\"Spoofing credential dialogs on macOS, Linux and Windows\"",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 694133,
	"plain_text": "\"Spoofing credential dialogs on macOS, Linux and Windows\"\r\nBy wunderwuzzi\r\nPublished: 2021-04-19 · Archived: 2026-04-05 14:42:38 UTC\r\nA nifty way for adversaries to acquire passwords during post-exploitation is to spoof credential dialogs and\r\nperform a local phishing attack. This means tricking a user on a compromised computer to enter their password.\r\nUnfortunately, users are conditioned to enter their credentials frequently and therefore don’t question random\r\npasswords prompts too much.\r\nLong, long time ago… but nothing has changed\r\nThe idea to spoof a credential dialog is one of the most simple ideas one might come up with.\r\nIn fact, one of the first programs I wrote when learning C, some 26 years ago, was a tool that mimicked the Novell\r\nNetware Login screen. I was amazed how simple this could be done.\r\nI was just learning about printf and scanf and put them to creative use. Obviously, I didn’t use it for\r\nnefarious purposes - I was and still am a curious person. But I remember showing it to a few friends and got\r\nsurprised reactions.\r\nIn this post we will go over three scenarios on how an attacker might trick users on Mac, Linux and Windows.\r\nGiven the commands, we can then also easily build detections for them.\r\nmacOS: Spoofing a credential prompt using osascript\r\nOn macOS the osascript command line utility can be used. For instance this will just create a notification:\r\n# osascript -e 'display notification \"Hello World!\"'\r\nNeat.\r\nIt also allows to create a password prompt… There is the display dialog feature with a hidden answer option to\r\ncreate a password prompt.\r\n# PWD_SPOOF=$(osascript -e 'display dialog \"To perform a security update MacOS needs your password.\" with title\r\n# echo $PWD_SPOOF\r\nbutton returned:OK, text returned:S3cr3tPa$$w0rd!\r\nThat’s pretty much all that is needed for a post exploit technique.\r\nhttps://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/\r\nPage 1 of 5\n\nOne way to deploy this is by updating the victim’s profile.\r\nLinux: Spoofing a credential prompt via zenity\r\nTypically, you won’t encounter that many Linux desktop users during red teaming operations.\r\nBut if, then zenity is useful and it even has a –password option that can be used.\r\nwuzzi@saturn:$ PWD=$(zenity --password --text \"Ubuntu Update needs your password: \" --title \"Ubuntu System Upda\r\nhttps://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/\r\nPage 2 of 5\n\nThat’s a way I was able to emulate this attack on Linux.\r\nWindows: Spoofing a credential prompt with PowerShell\r\nOn Windows Get-Credential is your friendly PowerShell command to do this.\r\n$creds = Get-Credential -UserName $env:USERNAME -Message \"Cortana wants setup a reminder and needs your permiss\r\nThis results in a pop with the following look and feel:\r\nhttps://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/\r\nPage 3 of 5\n\nA simple line like this can be added to a user’s logon script, AutoStart, or it can be actively injected in another\r\nuser’s session on the machine during post-exploitation.\r\nDetections\r\nBy looking through command history one can quickly identify such spoofing attempts. It will take some training\r\nand filtering to distinguish legit use cases from attacks, but that’s why we have the red team.\r\nSpecial attention can be given to the --password and with hidden answer command line arguments on Mac\r\nand Linux.\r\nSo, make sure that your blue teams has detections for this in place, and is able to distinguish noise from actual\r\nattacks.\r\nThere are many variations attackers can use, so be on the lookout.\r\nThe MITRE ATT\u0026CK framework also covers this via T1411. The details of the TTP have a couple of real world\r\nexamples of malware doing local phishing attacks.\r\nIn Windows one used to have to press CTRL+ALT+DEL on the login screen to prevent some of these attacks, but\r\nthese days it’s possible to just spoof the entire login screen by writing a custom credential provider.\r\nConclusion\r\nThis was an overview of three common post-exploitation credential stealing techniques red team and blue teams\r\nshould be aware of and test for to ensure you can detect adversaries misusing them.\r\nCheers, @wunderwuzzi23\r\nhttps://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/\r\nPage 4 of 5\n\nAlso, if you found this interesting check out my book about Red Teaming.\r\nSource: https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/\r\nhttps://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/"
	],
	"report_names": [
		"spoofing-credential-dialogs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434722,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0c87f3b36afba58545bb39a9f3dbe3e41047a31.pdf",
		"text": "https://archive.orkl.eu/c0c87f3b36afba58545bb39a9f3dbe3e41047a31.txt",
		"img": "https://archive.orkl.eu/c0c87f3b36afba58545bb39a9f3dbe3e41047a31.jpg"
	}
}