ConvertTo-SecureString Cmdlet Usage Via CommandLine

calendar Aug 12, 2024 · attack.defense-evasion attack.t1027 attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

Sigma rule (View on GitHub)

 1title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
 2id: 74403157-20f5-415d-89a7-c505779585cf
 3status: test
 4description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
 7    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
 8author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
 9date: 2020-10-11
10modified: 2023-02-01
11tags:
12    - attack.defense-evasion
13    - attack.t1027
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell.exe'
23              - '\pwsh.exe'
24        - OriginalFileName:
25              - 'PowerShell.EXE'
26              - 'pwsh.dll'
27    selection_cli:
28        CommandLine|contains: 'ConvertTo-SecureString'
29    condition: all of selection_*
30falsepositives:
31    - Legitimate use to pass password to different powershell commands
32level: medium

References

  • Hunting for PowerShell Abuse

    PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…


    Read More

  • ConvertTo-SecureString (Microsoft.PowerShell.Security) - PowerShell

    The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString. The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet. This enables it to be stored in a file for later use. If the standard string being converted was encrypted with ConvertFrom-SecureString using a specified key, that same key must be provided as the value of the Key or SecureKey parameter of the ConvertTo-SecureString cmdlet. Note Note that per DotNet, the contents of a SecureString are not encrypted on non-Windows systems.


    Read More

Related rules

to-top