PowerShell Script: Decode Base64 String
What is Base64 Encoding?
Since computer talks using binary (numbers), the American Standard Code for Information Interchange (ASCII) decided to map a number to every letter, creating a standard that all computers can follow.
The Base64 algorithm dissects the original data in text format and encodes them in uppercase (A-Z) English letters, lowercase (a-z) English letters, 0–10 digits, “+” and “/” characters.
At the end of a base64 ended, you might see one or more “=” characters for padding purpose.
Base64 Encoding Cheat Sheet
How to encode string using Base64?
- Using Bash (CLI) on macOS / Linux
$: echo "Hooked on phonics worked for me" | base64
- Using PowerShell (CLI) on Windows
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("Hooked on phonics worked for me"))
How to decode Base64 strings?
- Using Bash (CLI) on macOS / Linux
$: echo "SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo=" | base64 --decode
- Using PowerShell (CLI) on Windows
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo='))
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('SG9va2VkIG9uIHBob25pY3Mgd29ya2VkIGZvciBtZQo='))//we can swap out ASCII for UTF-8 if we prefer
- Using CyberChef
ScriptBlockText: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“H4sIA….==”);IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
Here, you can see that this is a base64 encoded string compressed using GZip. Now, then we can use base64 and gunzip function in CyberChef to decode the string.
References
Decoding Malicious PowerShell Activity — A Case Study — Blog — Sophos Labs — Sophos Community
5 Minute Forensics: Decoding PowerShell Payloads (tevora.com)