Decoding TADDM Base64 commands

When TADDM executes remote commands using the TaddmTool.exe binary it encodes the actual command using Base64. Base64 is a binary-to-text encoding scheme that represents binary data in an ASCII string format by translating it into a radix-64 representation.

the following example is taken from a Sensor log and in it you can see the actual command it executes is ZQBjAGgAbwAgACUAdwBpAG4AZABpAHIAJQA=.

2016-07-04 12:27:26,716 DiscoverManager [DiscoverWorker-19] 2016070412253537#ExchangeSensor- DEBUG session.AbstractWindowsSessionClient – executeCommand[cmd.exe /c C:/WINDOWS/temp/taddm.6hod7b/TaddmTool.exe -DTADDM_ID=”6hod7b” -DTADDM_USERNAME=”ORB\TADDMSCAN” -DTADDM_TIMEOUT=”3300″   @ RunCommandBase64 ZQBjAGgAbwAgACUAdwBpAG4AZABpAHIAJQA=]: 0.738 seconds elapsed

This is clearly difficult to debug if the command fails however it is relatively easy to decode this output.

To do this follow this 4 step process:

  1. Go to the website
  2. Type the encoded text into the window i..e ZQBjAGgAbwAgACUAdwBpAG4AZABpAHIAJQA=
  3. Press <DECODE>
  4. Copy the decoded output (e?c?h?o? ?%?w?i?n?d?i?r?%?) to a text editor and remove all the ? symbols. The result is a clear text display of the command it is running (echo %windir%)




Views: 40