search

danvk / source-map-explorer

Analyze and debug space usage through source maps
Apache License 2.0
3.82k stars 100 forks source link

Usage of encoded string in PowerShell #191

Open zabrowski opened 4 years ago

zabrowski commented 4 years ago

Description The program generates base 64 string in powershell completely unnecessary. Such behavior is suspected and will catch a red flag in all intrusion prevention systems. You get under the definition of MITRE TA005 https://attack.mitre.org/tactics/TA0005/.

Steps to reproduce Just run program.

  1. See error powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand BASE64 CODE (...)ACIAQwA6AFwAVQBzAGUAcgBzAFwAVwBBAEwAVABFAFIAfgAxAC4ATABVAFMAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHMAbQBlAC0AcgBlAHMAdQBsAHQALQAyADAAMgAwADcAMgA4AC0AMgA0ADQAMgA4AC0AegA0AG4AZwBpAHAALgBoAGEAMQBrAGgALgBoAHQAbQBsAGAAIgAiAA== (Decoded: Start ""C:\Users\(...)\AppData\Local\Temp\sme-result-xxx-xxx-z4ngip.ha1kh.html"")

Expected behavior Clear text PS command

Environment

volago commented 3 years ago

Perhaps minimizing files in folder /src/lib/vendor and withdrawal base64 codding could solve this issue