Extracting Information with PowerShell
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Sigma rule (View on GitHub)
1title: Extracting Information with PowerShell
2id: bd5971a7-626d-46ab-8176-ed643f694f68
3status: test
4description: |
5 Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
6 These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
7 configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
10author: frack113
11date: 2021/12/19
12modified: 2022/12/25
13tags:
14 - attack.credential_access
15 - attack.t1552.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains|all:
23 - ls
24 - ' -R'
25 - 'select-string '
26 - '-Pattern '
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious Unattend.xml File Access
- Credentials In Files
- Dump Credentials from Windows Credential Manager With PowerShell
- Enumerate Credentials from Windows Credential Manager With PowerShell
- Transferring Files with Credential Data via Network Shares - Zeek