* Checks for encoded command parameters which obscure intent. * These are commonly used in malware to bypass security tools.
( parsed: ParsedPowerShellCommand, )
| 164 | * These are commonly used in malware to bypass security tools. |
| 165 | */ |
| 166 | function checkEncodedCommand( |
| 167 | parsed: ParsedPowerShellCommand, |
| 168 | ): PowerShellSecurityResult { |
| 169 | for (const cmd of getAllCommands(parsed)) { |
| 170 | if (isPowerShellExecutable(cmd.name)) { |
| 171 | if (psExeHasParamAbbreviation(cmd, '-encodedcommand', '-e')) { |
| 172 | return { |
| 173 | behavior: 'ask', |
| 174 | message: 'Command uses encoded parameters which obscure intent', |
| 175 | } |
| 176 | } |
| 177 | } |
| 178 | } |
| 179 | return { behavior: 'passthrough' } |
| 180 | } |
| 181 | |
| 182 | /** |
| 183 | * Checks for PowerShell re-invocation (nested pwsh/powershell process). |
nothing calls this directly
no test coverage detected