From a428941d645eb04ded14e8ca432f86068be0dfe4 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Tue, 24 Nov 2020 12:42:31 -0600
Subject: [PATCH] PasswordVault Browser Cred extraction rule

---
 .../edge_or_ie_cred_extraction_w_pwsh.yml       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml

diff --git a/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml b/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml
new file mode 100644
index 0000000..aa51aa9
--- /dev/null
+++ b/queries/windows/edge_or_ie_cred_extraction_w_pwsh.yml
@@ -0,0 +1,17 @@
+title: Edge or IE Credential Extraction with PowerShell
+description: Detects the extraction of Edge or Internet Explorer PasswordVault credentials with PowerShell.
+author: keyboardcrunch
+date: 24/11/2020
+modified:
+mitre: 
+   tactic: Credential Access
+   technique: T1555
+   subtechnique: 003
+operating_system: windows
+query: SrcProcCmdScript ContainsCIS "Windows.Security.Credentials.PasswordVault" OR SrcProcCmdScript ContainsCIS "RetrievePassword"
+false_positives:
+   - 
+tags:
+   - 
+references:
+   - https://github.com/HanseSecure/credgrap_ie_edge