-file not working in an -encodedcommand

Welcome Forums General PowerShell Q&A -file not working in an -encodedcommand

Viewing 5 reply threads
  • Author
    Posts
    • #166630
      Participant
      Topics: 1
      Replies: 1
      Points: 14
      Rank: Member

      Hi,

      I am writing the below to do some testing. When I encode this part of the command it fails. I'm not sure why.

      Any help would be much appreciated.

      powershell.exe -executionpolicy bypass -nologo -encodedCommand LQBmAGkAbABlACAAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABUAHIAaQBnAGcAZQByAF8AQQBXAFMAXwB2ADcALgBwAHMAMQA=
      powershell.exe : -file : The term '-file' is not recognized as the name of a cmdlet, function, script file, or operable program. Check 
      At line:1 char:1
    • #166678
      Participant
      Topics: 1
      Replies: 63
      Points: 355
      Helping Hand
      Rank: Contributor

      So, that's 'interesting'.  I can say I haven't worked with encoded commands, but this is a work around.

       

       

      powershell -command invoke-expression .\test.ps1
      hello world
      $text="invoke-expression .\test.ps1"
      [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($text), 'InsertLineBreaks')
      aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAALgBcAHQAZQBzAHQALgBwAHMAMQA=
      C:\TEST>powershell -encodedcommand aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAALgBcAHQAZQBzAHQALgBwAHMAMQA=
      hello world
      
    • #166822
      Participant
      Topics: 2
      Replies: 1000
      Points: 1,961
      Helping Hand
      Rank: Community Hero

      FYI...

      Encoded commands in an enterprise environment is frowned on an mostly never allowed, because this is what hackers use to make their efforts. Encode string never remain encoded anyway, especially if PowerShell Auditing / logging is enabled. It will decode it and it will show as plain text in the logs / audit reports.

      So, doing this as a learning effort is cool and all, doing it to try and protect your code from modification, maybe, doing it to prevent your code from being captured / read / reused by someone else, well, it's not effective / easily reversed.

      It's more prudent to PS2EXE and the like to achieve the aforementioned, depending on your overall goals / needs.

    • #166882
      Participant
      Topics: 1
      Replies: 1
      Points: 14
      Rank: Member

      Encoded commands in an enterprise environment is frowned on an mostly never allowed, because this is what hackers use to make their efforts. Encode string never remain encoded anyway, especially if PowerShell Auditing / logging is enabled. It will decode it and it will show as plain text in the logs / audit reports.

      I totally agree. The reason for my testing is, our EDR product can search the customers estate and look for PowerShell commands/scripts that are being run. I have written a test workflow where a Word Macro will download a VB script from AWS, that will download a PowerShell script from AWS and run. I actually wanted to put this command in the VB script, but it failed. I then went to test it within PowerShell itself and realised it didn't work, hence the question.

      These files just trigger fake detections allowing me to show the customers what is going on. If the customer has restrictions in place then that is fantastic, if not, I can explain why it is bad.

       

    • #167008
      Participant
      Topics: 2
      Replies: 1000
      Points: 1,961
      Helping Hand
      Rank: Community Hero

      Ah, Roger that!

    • #167137
      Senior Moderator
      Topics: 8
      Replies: 1121
      Points: 3,820
      Helping Hand
      Rank: Community Hero

      You don't need to use -file in the encoded command, if you do so then it becomes

      ps \> -file c:\temp\bla.ps1
      

      You need to only encode c:\temp\bla.ps1

Viewing 5 reply threads
  • The topic ‘-file not working in an -encodedcommand’ is closed to new replies.