title: PowerShell Credential Prompt
ruletype: Sigma
author: John Lambert (idea), Florian Roth (rule)
date: 2017/04/09
description: Detects PowerShell calling a credential prompt
detection:
  SELECTION_1:
    ScriptBlockText: '*PromptForCredential*'
  condition: SELECTION_1
falsepositives:
- Unknown
id: ca8b77a9-d499-4095-b793-5d5f330d450e
level: high
logsource:
  category: ps_script
  definition: Script block logging must be enabled
  product: windows
modified: 2021/10/16
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
status: experimental
tags:
- attack.credential_access
- attack.execution
- attack.t1059.001
- attack.t1086