| external help file | Module Name | online version | schema |
|---|---|---|---|
PowerGRR-help.xml |
PowerGRR |
2.0.0 |
Decode a base64 encoded string. This function is used also inside fetching results when only payload should be returned.
ConvertFrom-Base64 [[-String] <String>] [-Encoding <String>] [<CommonParameters>]
Some flows return an base64 encoded string in the payload. Use this function to convert it.
PS C:\> $sha256_b64 = $_.payload.hash_entry.sha256; $hash = Convertfrom-Base64 $sha256_b64 -Encoding Unicode | ConvertTo-Hex
Convert the collected sha256 hash (hash_entry e.g. from file finder flow) to the corresponding hex representation. The payload from GRR is base64 encoded, therefore Convertfrom-Base64 provides the needed step in between. For a hash conversion the use of "-Encoding Unicode" is needed.
PS C:\> ConvertFrom-Base64 "R1JSIGlzIGF3ZXNvbWU="
Convert the collected sha256 hash (hash_entry e.g. from file finder flow) to the corresponding hex representation. The payload from GRR is base64 encoded, therefore Convertfrom-Base64 provides the needed step in between.
PS C:\> $ret = $ret.items | ? {($_.payload | ConvertFrom-Base64) -match "false" }
Analyse return values from a hunt and filter them for specific payload values.
Base64 encoded string to decode.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 0
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: FalseEncoding to use. Unicode or UTF8.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: FalseThis cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).