ConvertTo-SecureString Cmdlet Usage Via CommandLine

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

Sigma rule (View on GitHub)

 1title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
 2id: 74403157-20f5-415d-89a7-c505779585cf
 3status: test
 4description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
 7    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
 8author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
 9date: 2020-10-11
10modified: 2023-02-01
11tags:
12    - attack.defense-evasion
13    - attack.t1027
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell.exe'
23              - '\pwsh.exe'
24        - OriginalFileName:
25              - 'PowerShell.EXE'
26              - 'pwsh.dll'
27    selection_cli:
28        CommandLine|contains: 'ConvertTo-SecureString'
29    condition: all of selection_*
30falsepositives:
31    - Legitimate use to pass password to different powershell commands
32level: medium

References

Related rules

to-top