A new PowerShell script was posted on Github recently that prompts a victim to enter their login credentials, checks if they are correct, and then sends the credentials to a remote server. This allows an attacker to distribute the script and harvest domain login credentials from their victims.
This Github script utilizes the Get-Credential PowerShell cmdlet to display the login prompt that asks the user to enter their credentials. When the user enters their credentials, the script will try to use them to authenticate to the victim’s domain, and if successful, will send the credentials to a remote server. If the entered credentials are incorrect, the script will keep prompting the user to enter their credentials.
At this point the only way to terminate the prompt, is to open Task Manager, look for a process called “Windows PowerShell”, and then terminate it.
Thankfully, the login prompt displayed by this particular script makes it easy to spot as the alert will be titled “Windows PowerShell credential request” and will contain a blue ribbon with a set of keys as shown below.
After posting this article was posted, I was alerted by a reader that this attack method is not new at all. It turns out it was covered by Matt Nelson, otherwise known as enigma0x3 and one of the creators of the Empire PowerShell post-exploitation kit. His script, took it a bit further by allowing the title box of the login prompt to be changed so that it is more convincing to the user.
For example, below we created a prompt that pretends to be Windows…