When TADDM executes remote commands using the TaddmTool.exe binary it encodes the actual command using Base64. Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string format by translating it into a radix-64 representation.

the following example is taken from a Sensor log and in it you can see the actual command it executes is ZQBjAGgAbwAgACUAdwBpAG4AZABpAHIAJQA=.

2016-07-04 12:27:26,716 DiscoverManager [DiscoverWorker-19] 2016070412253537#ExchangeSensor-192.168.11.10 DEBUG session.AbstractWindowsSessionClient – executeCommand[cmd.exe /c C:/WINDOWS/temp/taddm.6hod7b/TaddmTool.exe -DTADDM_ID=”6hod7b” -DTADDM_USERNAME=”ORB\TADDMSCAN” -DTADDM_TIMEOUT=”3300″   @192.168.11.10 RunCommandBase64 ZQBjAGgAbwAgACUAdwBpAG4AZABpAHIAJQA=]: 0.738 seconds elapsed

This is clearly difficult to debug if the command fails however it is relatively easy to decode this output.

To do this follow this 4 step process:

1. Go to the website https://www.base64decode.org/
2. Type the encoded text into the window i..e ZQBjAGgAbwAgACUAdwBpAG4AZABpAHIAJQA=
3. Press <DECODE>
4. Copy the decoded output (e?c?h?o? ?%?w?i?n?d?i?r?%?) to a text editor and remove all the ? symbols. The result is a clear text display of the command it is running (echo %windir%)

Visits: 40