Forum Discussion

Bronze II

7 months ago

Solved

PowerShell Deobfuscation: Ep.8 - Stuck Halfway

I was working on Ep.8 of PowerShell Deob. Got stuck in second step. Step 1: Base64 & RAW Inflate (Twice) Step 2: Stuck with this weird looking code. Tried to run with PowerShell and received...

GusC
31 days ago
Try
Set-PSDebug -Trace 1
and put
Write-Output to the beginning of the script and then running it in a console.
you should then get a lot of CHAR output.
Put that in CyberChef and decode from there.
The labs change every time though as they use invoke obfuscation during vm spinup

PRABAKARANRAMAMURTHY

Bronze II

7 months ago

Hi netcat, how do we move forward with python/powershell for this?

netcat

Silver III

6 months ago

Well, start with "${ }". You know what this is, isn't it? And "+=", "${}", etc.?
If not, read the PowerShell specification, or play with in PowerShell to get an understanding what happens.

All in all, very ugly, but not impossible to decode.
I can't (well I could) post my decoder here, so can't really give details on how I did it.

Forum Discussion

PowerShell Deobfuscation: Ep.8 - Stuck Halfway

Featured Places

Help & Support Forum

Related Content

PowerShell Deobfuscation: Ep.9

PowerShell Deobfuscation: Ep 8 help

Assistance: PowerShell Deobfuscation: Ep.4 - Logical and Structural Obfuscation - Question 7

powershell-deobfuscation-ep-8

Powershell Deobsfuscation Ep.7

Recent Discussions

Trick or Treat on Specter Street: Ghost of the SOC

Trick or Treat on Specter Street: Manor of Madness

Trick or Treat on Specter Street: Phantom Pages

FIN7 Threat Hunting with Splunk: Ep.2 – Initial Access

Trick or Treat on Specter Street: Widow's Web