Defense
Firstly, you need some Powershell Base64 commands, you could search your security logs or Sysmon logs for these, or simply generate some yourself!
powershell.exe -noprofile -ExecutionPolicy UnRestricted -EncodedCommand bgBlAHQAIAB1AHMAZQByACAAcwBlAGMAYQB1AGQAaQB0ACAAUABAADUANQB3ADAAcgBkADEAMgAzACEAIAAvAEEARABEADsAbgBlAHQAIAB1AHMAZQByACAAcwBlAGMAYQB1AGQAaQB0ACAALwBhAGMAdABpAHYAZQA6AHkAZQBzADsAbgBlAHQAIABsAG8AYwBhAGwAZwByAG8AdQBwACAAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBzACAALwBhAGQAZAAgAHMAZQBjAGEAdQBkAGkAdAA=
Next, we head over to Cyber Chef!
https://gchq.github.io/CyberChef/
Now we copy the base64 component to the INPUT window:
We add the “From Base64” operation into our RECIPE!We now need to decode the text!
The format of the encoding is UTF-16LE (1200)
With this recipe BAKED we can see the clear text output! Simples!
