Extracting Information with PowerShell
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Sigma rule (View on GitHub)
1title: Extracting Information with PowerShell
2id: bd5971a7-626d-46ab-8176-ed643f694f68
3status: test
4description: |
5 Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
6 These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
7 configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
10author: frack113
11date: 2021-12-19
12modified: 2022-12-25
13tags:
14 - attack.credential-access
15 - attack.t1552.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains|all:
23 - ls
24 - ' -R'
25 - 'select-string '
26 - '-Pattern '
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Active Directory Database Snapshot Via ADExplorer
- Automated Collection Command Prompt
- Azure Key Vault Modified or Deleted
- Azure Keyvault Key Modified or Deleted
- Azure Keyvault Secrets Modified or Deleted