Recently i have started a Security Course on edx.org, which, in one of its topics, was talking about Powershell commands obfuscation.
Now, in order to achieve this, take a look at the powershell help, right at the end.
# To use the -EncodedCommand parameter:
$command = ‘dir “c:\program files” ‘
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell.exe -encodedCommand $encodedCommand
So for example if you would want to obfuscate the domain name i am using now, you would type the below command. The bolded part would be the result:
PS C:\Windows\system32> [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(“‘virtualization.ro'”))
If you would like to use Powershell to de-obfuscate the command, you would use the following, entering as a parameter the encoded value obtained above.
PS C:\Windows\system32> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(‘JwB2AGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4ALgByAG8AJwA=’))
Also, now in order to run the obfuscated command you would simply issue the below command, again using the encoded value as a parameter.
PS C:\Windows\system32> powershell.exe -ec JwB2AGkAcgB0AHUAYQBsAGkAegBhAHQAaQBvAG4ALgByAG8AJwA=