ConvertTo-SecureString Cmdlet Usage Via CommandLine
Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Sigma rule (View on GitHub)
1title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
2id: 74403157-20f5-415d-89a7-c505779585cf
3status: test
4description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
7 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
8author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
9date: 2020/10/11
10modified: 2023/02/01
11tags:
12 - attack.defense_evasion
13 - attack.t1027
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - OriginalFileName:
25 - 'PowerShell.EXE'
26 - 'pwsh.dll'
27 selection_cli:
28 CommandLine|contains: 'ConvertTo-SecureString'
29 condition: all of selection_*
30falsepositives:
31 - Legitimate use to pass password to different powershell commands
32level: medium
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services of the operating system and automate almost anything. But along with administrators, PowerShell also is liked by attackers and malware authors. The reason PowerShell is so attractive for adversaries is quite obvious: it has been included in essentially every Windows operating system by default for a decade, provides access to Windows API, and is rarely constrained, thus allowing adversaries to perform different tasks without risking being blocked. ttackers can use PowerShell to direct the execution of a local script, retrieve and execute remote resources using various network protocols, encode payloads passed via the command line, or load PowerShell into other processes. Because of so prevalence of PowerShell among adversaries for Threat Hunters it is very important to be able to detect malicious uses of PowerShell and defend against it. In the presentation author is going to demostrate an approaches for detection of PowerShell abuses based on different event sources like native Windows logging capabilities as well as usage of additional tools, like Sysmon or EDR solutions. How to collect traces of using PowerShell, how to filter out false positives, and how to find evidence of malicious uses among the remaining after filtering volume of events — all these questions will be answered in the talk for present and future threat hunters.
Read More -
The ConvertTo-SecureString cmdlet converts encrypted standard strings into secure strings. It can also convert plain text to secure strings. It is used with ConvertFrom-SecureString and Read-Host. The secure string created by the cmdlet can be used with cmdlets or functions that require a parameter of type SecureString. The secure string can be converted back to an encrypted, standard string using the ConvertFrom-SecureString cmdlet. This enables it to be stored in a file for later use. If the standard string being converted was encrypted with ConvertFrom-SecureString using a specified key, that same key must be provided as the value of the Key or SecureKey parameter of the ConvertTo-SecureString cmdlet. Note Note that per DotNet, the contents of a SecureString are not encrypted on non-Windows systems.
Read More
Related rules
- Invoke-Obfuscation CLIP+ Launcher - Security
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security