PowerShell Analyzer
SecOps utility for reversing PowerShell obfuscation. Detects encoded commands, hidden symbols, and malicious intent.
Deobfuscated Result
Analysis Logic
This tool performs recursive deobfuscation by identifying common evasion tactics like Base64 sub-shells, backtick escaping, and string concatenation.
- Static Entropy Analysis
- B64 UTF-16LE Decoding
- Signature Matching
? Learn more about PowerShell Deobfuscation
Why do attackers obfuscate PowerShell?
PowerShell is a powerful automation tool built into Windows. Attackers use it for "living off the land" (using legitimate system tools for malicious purposes). Obfuscation is used to bypass antivirus (AV) and endpoint detection and response (EDR) systems that look for specific keywords or patterns.
Common Obfuscation Techniques
- Base64 Encoding: Using the `-EncodedCommand` (or `-e`) flag to hide the command string in a Base64 blob.
- Backticks: PowerShell ignores backticks (`) in many contexts, so `w`r`i`t`e-h`o`s`t` is equivalent to `write-host`.
- String Concatenation: Splitting malicious strings like `'ht' + 'tp'` to avoid detection.
- Character Encoding: Using `[char]104 + [char]116` instead of literal "ht".
Security Best Practices
To protect against malicious PowerShell, organizations should enable Script Block Logging and Constrained Language Mode, and ideally sign all internal scripts.
Privacy Note
This tool analyzes your payloads locally in the browser. No code is sent to our servers, making it safe for analyzing potentially sensitive or malicious scripts without exposure.