title: PowerShell Credential Prompt
status: experimental
description: Detects PowerShell calling a credential prompt
references:
    - https://twitter.com/JohnLaTwC/status/850381440629981184
    - https://t.co/ezOTGy1a1G
tags:
    - attack.execution
    - attack.credential_access    
    - attack.t1086
author: John Lambert (idea), Florian Roth (rule)
logsource:
    product: windows
    service: powershell
    description: 'Script block logging must be enabled'
detection:
    selection:
        EventID: 4104
    keyword:
        - 'PromptForCredential'
    condition: all of them
falsepositives:
    - Unknown
level: high