Jump to content

EASY BUTTON - Encode PowerShell for Remote Monitors, Role Definitions, and more!


Recommended Posts

  • Have you ever used the native PowerShell -encodedcommand feature for a small script, and had a huge command line?
  • Have you ever tried to use PowerShell in a Role Definition and discovered that the '}' character breaks it?
  • Have you ever wanted to easily turn some PowerShell into a one-liner for a remote monitor or some other situation where you can't write the script to a file?

Run this to convert your commands into an encoded one-liner:

powershell.exe "$rawinput=$($input) -join \"`n\";[system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKCEoJHJhd2lucHV0KSkgewokaW5wdXRGcm9tVXNlciA9IEAoKTsKRG8gewpJZiAoJE51bGwgLW5lICRyYXdpbnB1dCAtYW5kICRyYXdpbnB1dC5MZW5ndGggLWd0IDApIHskSW5wdXRGcm9tVXNlciArPSAkcmF3aW5wdXR9CiRyYXdpbnB1dCA9ICIkKFJlYWQtSG9zdCAnSW5wdXQgY29tbWFuZHMgKHEgdG8gZXhpdCknKWBuIgp9IFVudGlsKCRyYXdpbnB1dCAtbWF0Y2ggJ15xJCcpCiRyYXdpbnB1dD0kaW5wdXRGcm9tVXNlciAtam9pbiAnJwp9CiciJXdpbmRpciVcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSIgLW5vcHJvZmlsZSAiaWV4IChbc3lzdGVtLnRleHQuZW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcnJytbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtzeXN0ZW0udGV4dC5lbmNvZGluZ106OkFTQ0lJLkdldEJ5dGVzKCRyYXdpbnB1dCkpKycnJykpKSIn'))|iex"

The output is a command line that can be used in a Remote Monitor, a Role Definition, the Remote Command prompt, or sent via email, etc. You can input your commands one line at a time, or you can pipe an existing script to the command and it will convert it.  It uses ASCII encoding instead of UNICODE, resulting in BASE64 strings that are half the length of the native powershell encoded format.  If the script is over around 90 characters, this method will result in a shorter command line.

If you want to extract the script again, just remove the "iex" portion of the command and the script text will be output.

Example, running the command and manually entering a script:

Microsoft Windows [Version 10.0.18363.1016]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "$rawinput=$($input) -join \"`n\";[system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKCEoJHJhd2lucHV0KSkgewokaW5wdXRGcm9tVXNlciA9IEAoKTsKRG8gewpJZiAoJE51bGwgLW5lICRyYXdpbnB1dCAtYW5kICRyYXdpbnB1dC5MZW5ndGggLWd0IDApIHskSW5wdXRGcm9tVXNlciArPSAkcmF3aW5wdXR9CiRyYXdpbnB1dCA9ICIkKFJlYWQtSG9zdCAnSW5wdXQgY29tbWFuZHMgKHEgdG8gZXhpdCknKWBuIgp9IFVudGlsKCRyYXdpbnB1dCAtbWF0Y2ggJ15xJCcpCiRyYXdpbnB1dD0kaW5wdXRGcm9tVXNlciAtam9pbiAnJwp9CiciJXdpbmRpciVcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSIgLW5vcHJvZmlsZSAiaWV4IChbc3lzdGVtLnRleHQuZW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcnJytbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtzeXN0ZW0udGV4dC5lbmNvZGluZ106OkFTQ0lJLkdldEJ5dGVzKCRyYXdpbnB1dCkpKycnJykpKSIn'))|iex"
Input commands (q to exit): If (Get-Random @($True,$False)) {
Input commands (q to exit):   Write-Output 'Hello World'
Input commands (q to exit): } Else {
Input commands (q to exit):   Write-Output 'Goodbye!'
Input commands (q to exit): }
Input commands (q to exit): q
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKEdldC1SYW5kb20gQCgkVHJ1ZSwkRmFsc2UpKSB7CiAgV3JpdGUtT3V0cHV0ICdIZWxsbyBXb3JsZCcKfSBFbHNlIHsKICBXcml0ZS1PdXRwdXQgJ0dvb2RieWUhJwp9Cg==')))"

Then, testing the command that was output:

C:\WINDOWS\system32>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKEdldC1SYW5kb20gQCgkVHJ1ZSwkRmFsc2UpKSB7CiAgV3JpdGUtT3V0cHV0ICdIZWxsbyBXb3JsZCcKfSBFbHNlIHsKICBXcml0ZS1PdXRwdXQgJ0dvb2RieWUhJwp9Cg==')))"
Hello World

C:\WINDOWS\system32>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKEdldC1SYW5kb20gQCgkVHJ1ZSwkRmFsc2UpKSB7CiAgV3JpdGUtT3V0cHV0ICdIZWxsbyBXb3JsZCcKfSBFbHNlIHsKICBXcml0ZS1PdXRwdXQgJ0dvb2RieWUhJwp9Cg==')))"
Hello World

C:\WINDOWS\system32>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKEdldC1SYW5kb20gQCgkVHJ1ZSwkRmFsc2UpKSB7CiAgV3JpdGUtT3V0cHV0ICdIZWxsbyBXb3JsZCcKfSBFbHNlIHsKICBXcml0ZS1PdXRwdXQgJ0dvb2RieWUhJwp9Cg==')))"
Goodbye!

And finally, removing "iex" to reveal the script:

C:\WINDOWS\system32>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKEdldC1SYW5kb20gQCgkVHJ1ZSwkRmFsc2UpKSB7CiAgV3JpdGUtT3V0cHV0ICdIZWxsbyBXb3JsZCcKfSBFbHNlIHsKICBXcml0ZS1PdXRwdXQgJ0dvb2RieWUhJwp9Cg==')))"
If (Get-Random @($True,$False)) {
  Write-Output 'Hello World'
} Else {
  Write-Output 'Goodbye!'
}

 

  • Like 4
  • Thanks 1
Link to post
Share on other sites

THANK YOU, DARREN!!!

~~~ Ignore the text below. The problem could not be reproduced. ~~~

This probably goes without saying to everyone else, but just in case this will help someone besides me..

Don't use command sequence with a ';' character, like I did at first... the returned output probably won't execute.

I was testing with this string first:

$output = query user /server:$SERVER; if ($output -like '*administrator*') { Write-Host '1'} else {Write-Host '0'}

But when I ran the output returned by Darren's code it errored:

  • = : The term '=' is not recognized as the name of a cmdlet ...
  • -like : The term '-like' is not recognized as the name of a cmdlet ...

Putting each part on its own "Input commands..." line fixed it:

powershell.exe "$rawinput=$($input) -join \"`n\";[system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKCEoJHJhd2lucHV0KSkgewokaW5wdXRGcm9tVXNlciA9IEAoKTsKRG8gewpJZiAoJE51bGwgLW5lICRyYXdpbnB1dCAtYW5kICRyYXdpbnB1dC5MZW5ndGggLWd0IDApIHskSW5wdXRGcm9tVXNlciArPSAkcmF3aW5wdXR9CiRyYXdpbnB1dCA9ICIkKFJlYWQtSG9zdCAnSW5wdXQgY29tbWFuZHMgKHEgdG8gZXhpdCknKWBuIgp9IFVudGlsKCRyYXdpbnB1dCAtbWF0Y2ggJ15xJCcpCiRyYXdpbnB1dD0kaW5wdXRGcm9tVXNlciAtam9pbiAnJwp9CiciJXdpbmRpciVcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSIgLW5vcHJvZmlsZSAiaWV4IChbc3lzdGVtLnRleHQuZW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcnJytbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtzeXN0ZW0udGV4dC5lbmNvZGluZ106OkFTQ0lJLkdldEJ5dGVzKCRyYXdpbnB1dCkpKycnJykpKSIn'))|iex"
Input commands (q to exit): $output = query user /server:$SERVER
Input commands (q to exit): if ($output -like '*administrator*') { Write-Host '1'} else {Write-Host '0'}
Input commands (q to exit): q
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('JG91dHB1dCA9IHF1ZXJ5IHVzZXIgL3NlcnZlcjokU0VSVkVSCmlmICgkb3V0cHV0IC1saWtlICcqYWRtaW5pc3RyYXRvcionKSB7IFdyaXRlLUhvc3QgJzEnfSBlbHNlIHtXcml0ZS1Ib3N0ICcwJ30K')))"

Running the returned code works to output a 1 or a 0, depending on if the administrator is logged in:

H:\>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('JG91dHB1dCA9IHF1ZXJ5IHVzZXIgL3NlcnZlcjokU0VSVkVSCmlmICgkb3V0cHV0IC1saWtlICcqYWRtaW5pc3RyYXRvcionKSB7IFdyaXRlLUhvc3QgJzEnfSBlbHNlIHtXcml0ZS1Ib3N0ICcwJ30K')))"
0

 

Edited by toril
Problem could not be reproduced
Link to post
Share on other sites

Strange @toril.. Your example worked fine for me?

C:\Temp>powershell.exe "$rawinput=$($input) -join \"`n\";[system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('SWYgKCEoJHJhd2lucHV0KSkgewokaW5wdXRGcm9tVXNlciA9IEAoKTsKRG8gewpJZiAoJE51bGwgLW5lICRyYXdpbnB1dCAtYW5kICRyYXdpbnB1dC5MZW5ndGggLWd0IDApIHskSW5wdXRGcm9tVXNlciArPSAkcmF3aW5wdXR9CiRyYXdpbnB1dCA9ICIkKFJlYWQtSG9zdCAnSW5wdXQgY29tbWFuZHMgKHEgdG8gZXhpdCknKWBuIgp9IFVudGlsKCRyYXdpbnB1dCAtbWF0Y2ggJ15xJCcpCiRyYXdpbnB1dD0kaW5wdXRGcm9tVXNlciAtam9pbiAnJwp9CiciJXdpbmRpciVcU3lzdGVtMzJcV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxwb3dlcnNoZWxsLmV4ZSIgLW5vcHJvZmlsZSAiaWV4IChbc3lzdGVtLnRleHQuZW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcnJytbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtzeXN0ZW0udGV4dC5lbmNvZGluZ106OkFTQ0lJLkdldEJ5dGVzKCRyYXdpbnB1dCkpKycnJykpKSIn'))|iex"
Input commands (q to exit): $output = query user /server:$SERVER; if ($output -like '*administrator*') { Write-Host '1'} else {Write-Host '0'}
Input commands (q to exit): q
"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('JG91dHB1dCA9IHF1ZXJ5IHVzZXIgL3NlcnZlcjokU0VSVkVSOyBpZiAoJG91dHB1dCAtbGlrZSAnKmFkbWluaXN0cmF0b3IqJykgeyBXcml0ZS1Ib3N0ICcxJ30gZWxzZSB7V3JpdGUtSG9zdCAnMCd9Cg==')))"

C:\Temp>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "iex ([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('JG91dHB1dCA9IHF1ZXJ5IHVzZXIgL3NlcnZlcjokU0VSVkVSOyBpZiAoJG91dHB1dCAtbGlrZSAnKmFkbWluaXN0cmF0b3IqJykgeyBXcml0ZS1Ib3N0ICcxJ30gZWxzZSB7V3JpdGUtSG9zdCAnMCd9Cg==')))"
0

C:\Temp>"%windir%\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile "([system.text.encoding]::ASCII.GetString([Convert]::FromBase64String('JG91dHB1dCA9IHF1ZXJ5IHVzZXIgL3NlcnZlcjokU0VSVkVSOyBpZiAoJG91dHB1dCAtbGlrZSAnKmFkbWluaXN0cmF0b3IqJykgeyBXcml0ZS1Ib3N0ICcxJ30gZWxzZSB7V3JpdGUtSG9zdCAnMCd9Cg==')))"
$output = query user /server:$SERVER; if ($output -like '*administrator*') { Write-Host '1'} else {Write-Host '0'}

C:\Temp>

In your example you didn't set $SERVER, so I don't know what would change depending on it's value....

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...