Description
Powershell command is not working as expected when using base64 obfuscation.
For the same payload, working as expected in plain text:
MAYBE_PREVENTED {"stdout":"","stderr":"Invoke-WebRequest : Unable to connect to the remote server\r\nAt line:2 char:1\r\n+ Invoke-WebRequest -Uri http://127.0.0.1 -Method POST -Body $content\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], WebException\r\n + FullyQualifiedErrorId : System.Net.WebException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand\r\n \r\n","exit_code":1}
https://reference.openbas.io/admin/atomic_testings/542aa4e6-ba80-4405-aaef-32332929a5de?query=cGFnZT0wJnNpemU9MjAmZmlsdGVyR3JvdXAlNUJtb2RlJTVEPWFuZCZmaWx0ZXJHcm91cFtmaWx0ZXJzXVtdJmtleT1BR0VOVF81NDJhYTRlNi1iYTgwLTQ0MDUtYWFlZi0zMjMzMjkyOWE1ZGVfZmlsdGVycw%3D%3D
In base64, another error:
MAYBE_PREVENTED {"stdout":"","stderr":"#< CLIXML\r\n<Objs Version=\"1.1.0.1\" xmlns=\"http://schemas.microsoft.com/powershell/2004/04\"><Obj S=\"progress\" RefId=\"0\"><TN RefId=\"0\"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N=\"SourceId\">1</I64><PR N=\"Record\"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><Obj S=\"progress\" RefId=\"1\"><TNRef RefId=\"0\" /><MS><I64 N=\"SourceId\">1</I64><PR N=\"Record\"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><S S=\"Error\">Invoke-WebRequest : Unable to connect to the remote server_x000D__x000A_</S><S S=\"Error\">At line:2 char:1_x000D__x000A_</S><S S=\"Error\">+ Invoke-WebRequest -Uri http://127.0.0.1 -Method POST -Body $content_x000D__x000A_</S><S S=\"Error\">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S=\"Error\"> + CategoryInfo : NotSpecified: (:) [Invoke-WebRequest], WebException_x000D__x000A_</S><S S=\"Error\"> + FullyQualifiedErrorId : System.Net.WebException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand_x000D__x000A_</S><S S=\"Error\"> _x000D__x000A_</S></Objs>","exit_code":1}
https://reference.openbas.io/admin/atomic_testings/0cdcd5cf-eb18-40a9-b2a8-3019e81d38d3?query=cGFnZT0wJnNpemU9MjAmZmlsdGVyR3JvdXAlNUJtb2RlJTVEPWFuZCZmaWx0ZXJHcm91cFtmaWx0ZXJzXVtdJmtleT1BR0VOVF8wY2RjZDVjZi1lYjE4LTQwYTktYjJhOC0zMDE5ZTgxZDM4ZDNfZmlsdGVycw%3D%3D
Description
Powershell command is not working as expected when using base64 obfuscation.
For the same payload, working as expected in plain text:
https://reference.openbas.io/admin/atomic_testings/542aa4e6-ba80-4405-aaef-32332929a5de?query=cGFnZT0wJnNpemU9MjAmZmlsdGVyR3JvdXAlNUJtb2RlJTVEPWFuZCZmaWx0ZXJHcm91cFtmaWx0ZXJzXVtdJmtleT1BR0VOVF81NDJhYTRlNi1iYTgwLTQ0MDUtYWFlZi0zMjMzMjkyOWE1ZGVfZmlsdGVycw%3D%3D
In base64, another error:
https://reference.openbas.io/admin/atomic_testings/0cdcd5cf-eb18-40a9-b2a8-3019e81d38d3?query=cGFnZT0wJnNpemU9MjAmZmlsdGVyR3JvdXAlNUJtb2RlJTVEPWFuZCZmaWx0ZXJHcm91cFtmaWx0ZXJzXVtdJmtleT1BR0VOVF8wY2RjZDVjZi1lYjE4LTQwYTktYjJhOC0zMDE5ZTgxZDM4ZDNfZmlsdGVycw%3D%3D