PowerShell Credential Prompt

Aug 12, 2024 · attack.credential-access attack.execution attack.t1059.001 ·

Detects PowerShell calling a credential prompt

Sigma rule (View on GitHub)

 1title: PowerShell Credential Prompt
 2id: ca8b77a9-d499-4095-b793-5d5f330d450e
 3status: test
 4description: Detects PowerShell calling a credential prompt
 5references:
 6    - https://twitter.com/JohnLaTwC/status/850381440629981184
 7    - https://t.co/ezOTGy1a1G
 8author: John Lambert (idea), Florian Roth (Nextron Systems)
 9date: 2017-04-09
10modified: 2022-12-25
11tags:
12    - attack.credential-access
13    - attack.execution
14    - attack.t1059.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains: 'PromptForCredential'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

x.com

Read More
https://ghostbin.com/paste/fevsc

Read More

Related rules

Certificate Exported Via PowerShell
HackTool - CrackMapExec Execution
Remote LSASS Process Access Through Windows Remote Management
AADInternals PowerShell Cmdlets Execution - ProccessCreation
AADInternals PowerShell Cmdlets Execution - PsScript

PowerShell Credential Prompt

Sigma rule (View on GitHub)

References

x.com

https://ghostbin.com/paste/fevsc

Related rules