De-obfuscate script

POST {{cb_url}}/tau/v2/orgs/{{cb_org_key}}/reveal

Allows users to de-obfuscate obfuscated scripts

RBAC Permissions Required

Permission (.notation name)Operation(s)
script.deobfuscation
(previously tau.reveal)
EXECUTE

API Documentation

Request Body

{"input"=>"<string>"}

RESPONSES

status: OK

{&quot;original_code&quot;:&quot;[Console]::InputEncoding = New-Object Text.UTF8Encoding $false\n\n\nInvoke-AtomicTest T1197 -TestName \&quot;Bitsadmin Download (cmd)\&quot; -PathToAtomicsFolder C:\\AtomicRedTeam\\Cyborg\\atomics -InputArgs @{remote_file = \&quot;SuspiciousTLD\&quot;,\n}\n&quot;,&quot;deobfuscated_code&quot;:&quot;[Console]::InputEncoding = New-Object Text.UTF8Encoding $false\n\n\nInvoke-AtomicTest T1197 -TestName \&quot;Bitsadmin Download (cmd)\&quot; -PathToAtomicsFolder C:\\AtomicRedTeam\\Cyborg\\atomics -InputArgs @{remote_file = \&quot;SuspiciousTLD\&quot;,\n}\n&quot;,&quot;identities&quot;:[&quot;InputEncoding&quot;,&quot;Invoke-AtomicTest&quot;,&quot;New-Object&quot;,&quot;T1197&quot;,&quot;Text.UTF8Encoding&quot;],&quot;strings&quot;:[],&quot;obfuscation_level&quot;:0.029678002879441317}