De-obfuscate script
POST {{cb_url}}/tau/v2/orgs/{{cb_org_key}}/reveal
Allows users to de-obfuscate obfuscated scripts
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
script.deobfuscation (previously tau.reveal) | EXECUTE |
Request Body
{"input"=>"<string>"}
RESPONSES
status: OK
{"original_code":"[Console]::InputEncoding = New-Object Text.UTF8Encoding $false\n\n\nInvoke-AtomicTest T1197 -TestName \"Bitsadmin Download (cmd)\" -PathToAtomicsFolder C:\\AtomicRedTeam\\Cyborg\\atomics -InputArgs @{remote_file = \"SuspiciousTLD\",\n}\n","deobfuscated_code":"[Console]::InputEncoding = New-Object Text.UTF8Encoding $false\n\n\nInvoke-AtomicTest T1197 -TestName \"Bitsadmin Download (cmd)\" -PathToAtomicsFolder C:\\AtomicRedTeam\\Cyborg\\atomics -InputArgs @{remote_file = \"SuspiciousTLD\",\n}\n","identities":["InputEncoding","Invoke-AtomicTest","New-Object","T1197","Text.UTF8Encoding"],"strings":[],"obfuscation_level":0.029678002879441317}