We were under attack and were able to find some IP addresses that where used to connect to. Scanning does IP’s revieled some powershell scripts.
I need to figure out a way to decode what is in the powershell scripts
below is very small part of the code can you help me decode it?
We were under attack and were able to find some IP addresses that where used to connect to. Scanning does IP’s revieled some powershell scripts.
I need to figure out a way to decode what is in the powershell scripts
Generally powershell scripts are a mix of Base64 and Zip, but this should only be seen as a starting point.
Often you need to read through the code to see exactly what it is doing because people do use some imaginative obfuscation techniques.
Its nearly impossible to decode a random extract though as this looks like a variable assignment. That means the script could be adding it to something, using part of it, reversing it etc.
With powershell it helps if you run it in a Linux VM (pwsh) so it is less likely to cause system damage and insert Write-Host statements after each “function” takes place.