0

I am trying to run a base64 encoded PowerShell command with the -e flag, however it does not work.

powershell.exe -e V3JpdGUtSG9zdCBhYWFh

The base64 is just the command Write-Host aaaa. Instead of decoding the command and printing "aaa", it throws the following error.

牗瑩ⵥ潈瑳愠慡� : The term '牗瑩ⵥ潈瑳愠慡�' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1

  • 牗瑩ⵥ潈瑳愠慡�
  •   + CategoryInfo          : ObjectNotFound: (牗瑩ⵥ潈瑳愠慡�:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

Why is it not trying to decode the command and run it? I tried -EncodedCommand as well and got the same result.

Dave
  • 2,473
  • 2
  • 30
  • 55
  • I saw that, but no that is something different. I am wanting to pass the base64 encoded string in as an argument using the -e flag. I need to do this on a single line. – Dave Dec 05 '21 at 00:34
  • 1
    See the answer from [mklement0](https://stackoverflow.com/a/57404296/15339544), it should work fine using `[System.Text.Encoding]::Unicode.GetBytes(...)` to get a UTF16LE String. – Santiago Squarzon Dec 05 '21 at 00:40
  • Have a look at this MVP Post Regarding Base64 Encrytption - < https://isc.sans.edu/forums/diary/Tip+BASE64+Encoded+PowerShell+Scripts+are+Recognizable+by+the+Amount+of+Letter+As/24992/ > – NeoTheNerd Dec 05 '21 at 00:42
  • @NeoTheNerd, thanks, that got me thinking in the right direction. Moral of the story, use PowerShell to base64 encode your commands instead of some other utility. – Dave Dec 05 '21 at 00:54
  • In short: The Base64 encoding of commands to pass to the PowerShell CLI's `-EncodedCommand` parameter must be based on the bytes making up the UTF-16LE ("Unicode") encoding of the original string, not the UTF-8 encoding. E.g. `[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes('Get-Date'))`. See [this answer](https://stackoverflow.com/a/57404296/45375) to the linked duplicate. – mklement0 Dec 05 '21 at 02:28

0 Answers0