rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml

title: PowerShell Credential Prompt
id: ca8b77a9-d499-4095-b793-5d5f330d450e
status: test
description: Detects PowerShell calling a credential prompt
references:
    - https://twitter.com/JohnLaTwC/status/850381440629981184
    - https://t.co/ezOTGy1a1G
author: John Lambert (idea), Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: 'PromptForCredential'
    condition: selection
falsepositives:
    - Unknown
level: high
Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00			`title: PowerShell Credential Prompt`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: ca8b77a9-d499-4095-b793-5d5f330d450e`
$frack113$ Promotion rules (#3821 ) 2022-12-27 12:29:10 +01:00			`status: test`
Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00			`description: Detects PowerShell calling a credential prompt`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00			`- https://twitter.com/JohnLaTwC/status/850381440629981184`
			`- https://t.co/ezOTGy1a1G`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: John Lambert (idea), Florian Roth (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2017-04-09`
			`modified: 2022-12-25`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.credential-access`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00			`detection:`
			`selection:`
$frack113$ fix EventID: 4104 ScriptBlockText 2021-08-04 14:49:50 +02:00			`ScriptBlockText\|contains: 'PromptForCredential'`
$frack113$ Update PS rules 2021-08-21 09:33:52 +02:00			`condition: selection`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`falsepositives:`
Rule: PowerShell credential prompt 2017-04-09 10:22:04 +02:00			`- Unknown`
			`level: high`