Techniques
Sample rules
ConvertTo-SecureString Cmdlet Usage Via CommandLine
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects usage of the “ConvertTo-SecureString” cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ConvertTo-SecureString
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll