Challenge 08: Base64 Encoded Commands

Medium Command Line Obfuscation Target: Rule 2, 5

Objective

Execute suspicious PowerShell commands using Base64 encoding to bypass keyword detection.

Scanner Behavior

Rule 2 checks for suspicious keywords in the raw command line. Rule 5 checks for PowerShell flags like -encodedcommand and -enc.

const SuspiciousPSFlags = [
  "-encodedcommand",
  "-enc ",
  ...
]

However, Rule 5 uses toLowerAscii() for comparison. And the flag list contains specific strings with specific casing.

Rules

  • Execute Invoke-Expression or downloadstring via PowerShell
  • The raw command line must not contain those keywords in plaintext
  • You must bypass both Rule 2 (keywords) and Rule 5 (PS flags)

Hints

Hint 1 PowerShell's -EncodedCommand parameter accepts Base64-encoded UTF-16LE commands.
Hint 2 The flag -encodedcommand is in the detection list, but PowerShell accepts abbreviations: -EC, -En, -Enco.
Hint 3 Rule 5 only checks if the process is powershell.exe. Using pwsh.exe bypasses Rule 5 entirely.