01 March 2022
tl;dr: Python script that automates removing comments and newlines from PowerShell scripts https://github.com/FortyNorthSecurity/RandomScripts/blob/main/Cobalt Scripts/remove_comments.py
It's not often that we use PowerShell on our assessments. Most of the tools that we do use have been re-written into C# which is the format we've predominantly been using. With that said, depending on the endpoint configuration, we may at times choose to use PowerShell scripts to accomplish whatever task we need it to do (or maybe we're on a pen test and aren't concerned about using PowerShell).
While it is funny to think about, one of the first steps we usually have to do if we want to run a PowerShell script is strip out all comments and author handles from the script. As I'm sure everyone reading this blog post is aware, both of these (comments and handles) can and are used to help write detections for specific scripts.
Removing this info used to be something that could easily be done, however longer scripts can potentially make this something where manually removing all of this info can be time-consuming. And let's be real, I'm lazy and don't want to manually remove this info every time, so we wrote a small script to help automate this process.
All that you need to do is edit the source code to point to the script that you want to remove extra info from, and it'll handle removing:
After adding in the path to the script that you want to strip and the path for the stripped script, run the script and see the difference.
While relatively basic, the script gets the job done and saves us some time. Hopefully it is helpful for you too! If you have any questions, don't hesitate to contact us anytime.