https://blueteamlabs.online/home/challenge/7

Open the file

Let's open the text file in a text editor (I like VSCodium) and see what we're dealing with.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/54826ea6-2212-41ab-aeae-c4c13e46b2a4/Untitled.png

An encoded PowerShell script.

Decode the file

CyberChef is an excellent tool for decoding it. Note PoweShell uses an uncommon encoding (UTF-16LE), so we also need to decode the text as well as convert it from Base64.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/34910539-1414-4d12-856c-652b81e76a07/Untitled.png

Now we have a decoded, but obfuscated, PowerShell script. Let's copy that into our text editor and start deobfuscating.

Deobfuscating the script

I tried a few automated scripts and tools, but none worked that well. So I'll do it manually.

To make things easier, you can set PowerShell syntax highlighting in VSCodium so, as you progress, more colour will appear.

I also save as a new file after each step in case I need to revert, as some of this might break the actual script. However, it's malicious anyway, so if we make it unrunnable, that's not necessarily a bad thing!

Spacing

The semicolon splits commands in PowerShell, so for readability, we can replace ; with two new lines (\\n\\n in regex).

Fillers

Delete all '+' and backticks ```, as they just seem to be filler.