randomaccess3
commented
1 month ago "Due to the nature of script block logging, it also records de-obfuscated code as it is executed."
I tried https://github.com/danielbohannon/Revoke-Obfuscation, it can detect obfuscated powershell script, but cannot decode it.
Do you mean obfuscated powershell script can be de-obfuscated by script block logging? Could you give an example of them?
cobalt strike uses a loader that goes b64 encoded string -> gunzip, that contains some further code and another b64 encoded string that you then xor with 35. Both the first and second stages can get logged so you end up with two ps1s when there was really one (or an iex command etc)
"Due to the nature of script block logging, it also records de-obfuscated code as it is executed."
I tried https://github.com/danielbohannon/Revoke-Obfuscation, it can detect obfuscated powershell script, but cannot decode it.
Do you mean obfuscated powershell script can be de-obfuscated by script block logging? Could you give an example of them?