Challenge 08: Base64 Encoded Commands
Objective
Execute suspicious PowerShell commands using Base64 encoding to bypass keyword detection.
Scanner Behavior
Rule 2 checks for suspicious keywords in the raw command line. Rule 5 checks for PowerShell flags like -encodedcommand and -enc.
const SuspiciousPSFlags = [
"-encodedcommand",
"-enc ",
...
]
However, Rule 5 uses toLowerAscii() for comparison. And the flag list contains specific strings with specific casing.
Rules
- Execute
Invoke-Expressionordownloadstringvia PowerShell - The raw command line must not contain those keywords in plaintext
- You must bypass both Rule 2 (keywords) and Rule 5 (PS flags)
Hints
Hint 1
PowerShell's-EncodedCommand parameter accepts Base64-encoded UTF-16LE commands.
Hint 2
The flag-encodedcommand is in the detection list, but PowerShell accepts abbreviations: -EC, -En, -Enco.
Hint 3
Rule 5 only checks if the process ispowershell.exe. Using pwsh.exe bypasses Rule 5 entirely.
MostShittyEDR