-file not working in an -encodedcommand

Welcome Forums General PowerShell Q&A -file not working in an -encodedcommand

This topic contains 5 replies, has 4 voices, and was last updated by

 
Senior Moderator
4 weeks ago.

  • Author
    Posts
  • #166630

    Participant
    Topics: 1
    Replies: 1
    Points: 14
    Rank: Member

    Hi,

    I am writing the below to do some testing. When I encode this part of the command it fails. I'm not sure why.

    Any help would be much appreciated.

    powershell.exe -executionpolicy bypass -nologo -encodedCommand LQBmAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABUAHIAaQBnAGcAZQByAF8AQQBXAFMAXwB2ADcALgBwAHMAMQA=
    powershell.exe : -file : The term '-file' is not recognized as the name of a cmdlet, function, script file, or operable program. Check 
    At line:1 char:1
  • #166678

    Participant
    Topics: 1
    Replies: 59
    Points: 321
    Helping Hand
    Rank: Contributor

    So, that's 'interesting'.  I can say I haven't worked with encoded commands, but this is a work around.

     

     

    powershell -command invoke-expression .\test.ps1
    hello world
    $text="invoke-expression .\test.ps1"
    [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($text), 'InsertLineBreaks')
    aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAALgBcAHQAZQBzAHQALgBwAHMAMQA=
    C:\TEST>powershell -encodedcommand aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAALgBcAHQAZQBzAHQALgBwAHMAMQA=
    hello world
    
  • #166822

    Participant
    Topics: 2
    Replies: 999
    Points: 1,946
    Helping Hand
    Rank: Community Hero

    FYI...

    Encoded commands in an enterprise environment is frowned on an mostly never allowed, because this is what hackers use to make their efforts. Encode string never remain encoded anyway, especially if PowerShell Auditing / logging is enabled. It will decode it and it will show as plain text in the logs / audit reports.

    So, doing this as a learning effort is cool and all, doing it to try and protect your code from modification, maybe, doing it to prevent your code from being captured / read / reused by someone else, well, it's not effective / easily reversed.

    It's more prudent to PS2EXE and the like to achieve the aforementioned, depending on your overall goals / needs.

  • #166882

    Participant
    Topics: 1
    Replies: 1
    Points: 14
    Rank: Member

    Encoded commands in an enterprise environment is frowned on an mostly never allowed, because this is what hackers use to make their efforts. Encode string never remain encoded anyway, especially if PowerShell Auditing / logging is enabled. It will decode it and it will show as plain text in the logs / audit reports.

    I totally agree. The reason for my testing is, our EDR product can search the customers estate and look for PowerShell commands/scripts that are being run. I have written a test workflow where a Word Macro will download a VB script from AWS, that will download a PowerShell script from AWS and run. I actually wanted to put this command in the VB script, but it failed. I then went to test it within PowerShell itself and realised it didn't work, hence the question.

    These files just trigger fake detections allowing me to show the customers what is going on. If the customer has restrictions in place then that is fantastic, if not, I can explain why it is bad.

     

  • #167008

    Participant
    Topics: 2
    Replies: 999
    Points: 1,946
    Helping Hand
    Rank: Community Hero

    Ah, Roger that!

  • #167137

    Senior Moderator
    Topics: 8
    Replies: 1004
    Points: 3,255
    Helping Hand
    Rank: Community Hero

    You don't need to use -file in the encoded command, if you do so then it becomes

    ps \> -file c:\temp\bla.ps1
    

    You need to only encode c:\temp\bla.ps1

You must be logged in to reply to this topic.