title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: experimental
author: frack113
date: 2021/12/19
description: |
  Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
  These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
  configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection:
        ScriptBlockText|contains|all:
            - ls
            - ' -R'
            - 'select-string '
            - '-Pattern '
    condition: selection
falsepositives:
    - Unknown
level: medium
tags:
    - attack.credential_access
    - attack.t1552.001