PowerShell Credential Objects with Plaintext Password
Detects PowerShell credential constructs that embed plaintext passwords, including ConvertTo-SecureString with -AsPlainText and [Net.NetworkCredential]::new() calls. Mirrors Snaffler rule KeepPsCredentials.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: ConvertTo-SecureString with -AsPlainText is the canonical PowerShell plaintext-password anti-pattern, explicitly warned against in Microsoft documentation. [Net.NetworkCredential]::new() with inline strings is equally specific.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS
- Data categories
- credentials, security
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
ConvertTo-SecureString[\s\S]{0,80}-AsPlainTextCorroborative evidence keywords
ConvertTo-SecureString, -Force, Get-Credential, password, AsPlainText
Proximity: 300 characters
Should match
$pw = ConvertTo-SecureString "P@ssw0rd1" -AsPlainText -Force— Classic PowerShell ConvertTo-SecureString with plaintext password and Force flag$cred = New-Object PSCredential("svcAdmin", (ConvertTo-SecureString "Hunter2" -AsPlainText -Force))— PSCredential creation wrapping ConvertTo-SecureString plaintext[Net.NetworkCredential]::new("admin", "S3cr3tPass")— NetworkCredential constructor with inline username and password[System.Net.NetworkCredential]::new("user@corp.com", "TopS3cr3t")— Fully qualified System.Net.NetworkCredential constructor with plaintext password
Should not match
Get-Credential— Get-Credential alone prompts interactively and contains no hardcoded password# Use Get-Credential for interactive prompts; avoid storing passwords in scripts— Security guidance comment with no actual password or SecureString conversion
Known false positives
- Security training or documentation examples showing the anti-pattern to avoid, containing sample command syntax without real passwords. Mitigation: Check for placeholder password values (password123, example, PLACEHOLDER) and documentation file types.
- Scripts that reference ConvertTo-SecureString with -AsPlainText to convert from an environment variable rather than a hardcoded literal. Mitigation: The environment variable form ($env:PASSWORD) is still a risk but lower severity than literal strings; flag for review.