Attempt to Steal Credentials from the PowerShell History

LetsDefend Monitoring Alert

Mar, 18, 2024, 08:52 AM

Event ID: 239

Event Time: Mar, 18, 2024, 08:52 AM

Rule Name: SOC267 - Attempt to Steal Credentials from the PowerShell History

Alert Type: C2

MITRE Technique:

T1059.001 - Execution - Command and Scripting Interpreter: PowerShell,

T1071 - Command and Control - Application Layer Protocol,

T1552.001 - Credential Access - Unsecured Credentials: Credentials In Files,

T1204.002 - Execution - User Execution: Malicious File,

T1566.002 - Initial Access - Phishing: Spearphishing Link,

Severity: High

Incident Responder

45305 Catalina ct. Suite 150, Sterling VA 20166