danielbohannon
commented
6 years ago For detecting obfuscated PowerShell you might be interested in trying out Revoke-Obfuscation.
Closed beraphin closed 6 years ago
danielbohannon
commented
6 years ago For detecting obfuscated PowerShell you might be interested in trying out Revoke-Obfuscation.
There is not currently a PowerShell deobfuscation script or function that is publicly available. The best deobfuscator (for most layers of obfuscation) is PowerShell 5.0+'s script block logging (EID 4104). This will remove all layers of obfuscation except for the TOKEN layer obfuscation.