diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml
index 8d8f5e5b1..deb2bc9dd 100644
--- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml
+++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/16"
 maturity = "production"
-updated_date = "2020/11/16"
+updated_date = "2021/02/08"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,8 @@ tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
 type = "eql"
 
 query = '''
-process where event.type in ("start", "process_started") and process.name:"osascript" and process.args:"-e" and process.args:"password"
+process where event.type in ("start", "process_started") and process.name : "osascript" and
+ process.command_line : "osascript*display dialog*password*"
 '''
 
 
@@ -35,10 +36,14 @@ framework = "MITRE ATT&CK"
 id = "T1056"
 name = "Input Capture"
 reference = "https://attack.mitre.org/techniques/T1056/"
+[[rule.threat.technique.subtechnique]]
+id = "T1056.002"
+name = "GUI Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/002/"
+
 
 
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-