source-map-explorer icon indicating copy to clipboard operation
source-map-explorer copied to clipboard
verified publisher icon danvk

Usage of encoded string in PowerShell

Open zabrowski opened this issue 5 years ago • 1 comments

Description The program generates base 64 string in powershell completely unnecessary. Such behavior is suspected and will catch a red flag in all intrusion prevention systems. You get under the definition of MITRE TA005 https://attack.mitre.org/tactics/TA0005/.

Steps to reproduce Just run program. 4. See error powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand BASE64 CODE (...)ACIAQwA6AFwAVQBzAGUAcgBzAFwAVwBBAEwAVABFAFIAfgAxAC4ATABVAFMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHMAbQBlAC0AcgBlAHMAdQBsAHQALQAyADAAMgAwADcAMgA4AC0AMgA0ADQAMgA4AC0AegA0AG4AZwBpAHAALgBoAGEAMQBrAGgALgBoAHQAbQBsAGAAIgAiAA== (Decoded: Start ""C:\Users\(...)\AppData\Local\Temp\sme-result-xxx-xxx-z4ngip.ha1kh.html"")

Expected behavior Clear text PS command

Environment

  • Win 10
  • source-map-explorer Version 2.5.0

zabrowski avatar Aug 28 '20 07:08 zabrowski

Perhaps minimizing files in folder /src/lib/vendor and withdrawal base64 codding could solve this issue

volago avatar Sep 23 '20 09:09 volago