https://blueteamlabs.online/home/challenge/7
Let's open the text file in a text editor (I like VSCodium) and see what we're dealing with.
An encoded PowerShell script.
CyberChef is an excellent tool for decoding it. Note PoweShell uses an uncommon encoding (UTF-16LE), so we also need to decode the text as well as convert it from Base64.
Now we have a decoded, but obfuscated, PowerShell script. Let's copy that into our text editor and start deobfuscating.
I tried a few automated scripts and tools, but none worked that well. So I'll do it manually.
To make things easier, you can set PowerShell syntax highlighting in VSCodium so, as you progress, more colour will appear.
I also save as a new file after each step in case I need to revert, as some of this might break the actual script. However, it's malicious anyway, so if we make it unrunnable, that's not necessarily a bad thing!
The semicolon splits commands in PowerShell, so for readability, we can replace ;
with two new lines (\\n\\n
in regex).
Delete all '+'
and backticks ```, as they just seem to be filler.