Is there a way to pass credentials in an obfuscated way during process-creation?

[K0nne]

Hello,

it came to our attention that some monitoring passwords are logged in plaintext into the eventlog:

Is there a way to pass the credentials in an obfuscated way during process-creation to mitigate this problem?

[K0nne]

The original eventlog location is unknown so far, but we found another location:

[afeefghannam89]

rf/NC/830241

[LordHepipud]

I did some research on this topic and it is not that easy to resolve this issue. One way would be, to disable the logging to the PowerShell Eventlog, which catches all calls done.
However, for security monitoring, this log should remain to ensure that SIEM tools can fetch those logs and analyze the content to ensure no harmful code is executed.

For the Icinga for Windows log there is currently a test scenario developed to ensure that SecureString arguments are never dumped as objects into the EventLog. This will ship with v1.13.0.

To resolve this issue, my suggestion is to use the Icinga Agent with the "ifw-api" Feature.

By doing so, the Icinga Agent will execute all calls directly toward the Icinga for Windows API, not creating a new PowerShell process. Therefore, the call is not logged inside the EventLog but still executed with the provided arguments,