Attackers frequently use powershell -EncodedCommand <base64> to obfuscate malicious scripts. Paste the Base64 string from a -EncodedCommand or -enc argument here to decode it. Uses UTF-16LE encoding as PowerShell does internally.
About Base64, Hex and URL Encoding
Base64 is a binary-to-text encoding scheme that converts binary data into a set of 64 printable ASCII characters. It is widely used in IT and web development to safely transmit data through systems that only handle text. Common uses include encoding email attachments in MIME, embedding images directly in HTML or CSS as data URIs, passing credentials in HTTP Basic Authentication headers and storing binary data in JSON or XML payloads.
Hex encoding converts each byte of data into its two-character hexadecimal representation. This is commonly used in network protocol debugging, memory dump analysis, cryptographic key representation and low-level hardware work. A byte value of 65 (the letter A) becomes the hex string 41.
URL encoding, also called percent encoding, replaces characters that are not safe in URLs with a percent sign followed by two hex digits. For example, a space becomes %20 and an ampersand becomes %26. This is essential when passing special characters in query strings or form submissions.
Common Use Cases
- HTTP Basic Authentication. Credentials are sent as Base64 in the Authorization header. Decode them to verify what credentials an application is using, for example YWRtaW46cGFzc3dvcmQ= decodes to admin:password.
- Malware analysis. Attackers encode PowerShell with -EncodedCommand to bypass plain-text detection. The dedicated decoder reveals the actual script using the correct UTF-16LE encoding PowerShell uses internally.
- API debugging. Decode Base64 tokens from API responses or JWT payloads to inspect their content during development or troubleshooting.
- URL sanitisation. URL-encode query string parameters before passing them to avoid breaking the URL structure when values contain special characters like &, =, + or spaces.
- Windows Event ID 4104. PowerShell script block logging captures encoded commands. Use this tool alongside Event ID 4104 to decode and read the actual script that was executed.
Encoding Examples
Input: Hello, IT World!
Output: SGVsbG8sIElUIFdvcmxkIQ==
Input: 192.168.1.1
Output: 31 39 32 2e 31 36 38 2e 31 2e 31
Input: user=admin&pass=P@$$w0rd!
Output: user%3Dadmin%26pass%3DP%40%24%24w0rd%21
Input: YWRtaW46UEBTJCRXMHJkIQ==
Output: admin:P@S$$W0rd!