Hi,
I am writing the below to do some testing. When I encode this part of the command it fails. I’m not sure why.
Any help would be much appreciated.
powershell.exe -executionpolicy bypass -nologo -encodedCommand LQBmAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABUAHIAaQBnAGcAZQByAF8AQQBXAFMAXwB2ADcALgBwAHMAMQA= powershell.exe : -file : The term '-file' is not recognized as the name of a cmdlet, function, script file, or operable program. Check At line:1 char:1
So, that’s ‘interesting’. I can say I haven’t worked with encoded commands, but this is a work around.
powershell -command invoke-expression .\test.ps1 hello world $text="invoke-expression .\test.ps1" [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($text), 'InsertLineBreaks') aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAALgBcAHQAZQBzAHQALgBwAHMAMQA= C:\TEST>powershell -encodedcommand aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAALgBcAHQAZQBzAHQALgBwAHMAMQA= hello world
FYI…
Encoded commands in an enterprise environment is frowned on an mostly never allowed, because this is what hackers use to make their efforts. Encode string never remain encoded anyway, especially if PowerShell Auditing / logging is enabled. It will decode it and it will show as plain text in the logs / audit reports.
So, doing this as a learning effort is cool and all, doing it to try and protect your code from modification, maybe, doing it to prevent your code from being captured / read / reused by someone else, well, it’s not effective / easily reversed.
It’s more prudent to PS2EXE and the like to achieve the aforementioned, depending on your overall goals / needs.
I totally agree. The reason for my testing is, our EDR product can search the customers estate and look for PowerShell commands/scripts that are being run. I have written a test workflow where a Word Macro will download a VB script from AWS, that will download a PowerShell script from AWS and run. I actually wanted to put this command in the VB script, but it failed. I then went to test it within PowerShell itself and realised it didn’t work, hence the question.
These files just trigger fake detections allowing me to show the customers what is going on. If the customer has restrictions in place then that is fantastic, if not, I can explain why it is bad.
Ah, Roger that!
You don’t need to use -file in the encoded command, if you do so then it becomes
ps \> -file c:\temp\bla.ps1
You need to only encode c:\temp\bla.ps1