rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml

title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: test
description: |
    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
    These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
    configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-12-19
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - ls
            - ' -R'
            - 'select-string '
            - '-Pattern '
    condition: selection
falsepositives:
    - Unknown
level: medium
$frack113$ Windows Redcannary 2021-12-19 11:20:42 +01:00			`title: Extracting Information with PowerShell`
			`id: bd5971a7-626d-46ab-8176-ed643f694f68`
$frack113$ Promotion rules (#3821 ) 2022-12-27 12:29:10 +01:00			`status: test`
$frack113$ Windows Redcannary 2021-12-19 11:20:42 +01:00			`description: \|`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.`
			`These can be files created by users to store their own credentials, shared credential stores for a group of individuals,`
			`configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.`
$frack113$ Windows Redcannary 2021-12-19 11:20:42 +01:00			`references:`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: frack113`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2021-12-19`
			`modified: 2022-12-25`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.credential-access`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`- attack.t1552.001`
$frack113$ Windows Redcannary 2021-12-19 11:20:42 +01:00			`logsource:`
			`product: windows`
			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
$frack113$ Windows Redcannary 2021-12-19 11:20:42 +01:00			`detection:`
			`selection:`
			`ScriptBlockText\|contains\|all:`
			`- ls`
			`- ' -R'`
			`- 'select-string '`
			`- '-Pattern '`
			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: medium`