Evaluations of AI‐based malicious PowerShell detection with feature optimizations

Song, JiHyeon; Kim, Jung‐Tae; Choi, Sunoh; Kim, Jong-Hyun; Kim, Ikkyun

doi:10.4218/etrij.2020-0215

Cited by 13 publications

(5 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some antivirus specifically mentions that the file is a backdoor generated by the Metasploit Framework (Figure 6). The results of this study indicate that the level of evasion achieved through the utilization of the Python obfuscation framework and PowerShell is consistent with previous studies [12,16,17,4]. The obfuscated Python payload could successfully bypass the Bitdefender antivirus.…”

Section: Results and Analysis 31 Test Results Using The Virustotal We...supporting

confidence: 88%

“…Nevertheless, in its development, the obfuscation technique is also very effective in avoiding antivirus detection [3]. The growing attacks of fileless malware that do not exist in the file system indicate that the attackers have used the technology developed by the vendors to find their own security vulnerabilities, such as the PowerShell script provided by Microsoft [4,5]. PowerShell script has been used to exploit hidden information on images by embedding malicious commands using techniques such as invoke-PSImage [6].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Evading Antivirus Software Detection Using Python and PowerShell Obfuscation Framework

Aditiawarman,

Dody,

Mantoro

et al. 2023

matrik

View full text Add to dashboard Cite

Avoiding antivirus detection in penetration testing activities is tricky. The simplest, most effective, and most efficient way is to disguise malicious code. However, the obfuscation process will also be very complex and time-consuming if done manually. To solve this problem, many tools or frameworks on the internet can automate the obfuscation process, but how effective are obfuscation tools to avoid antivirus detection are. This study aimed to provide an overview of the effectiveness of the obfus- cation framework in avoiding antivirus detection. This study used experimental design to test and determine the effectiveness of the payload obfuscation process. The first step was generating Python and PowerShell payloads, followed by the obfuscation process. The results showed that by using the right method of obfuscation, malware could become completely undetectable. The automatic obfus- cation process also did not deteriorate the malware’s function. It was proven that the malware could run and open a connection on the server. These findings required more Python obfuscator techniques to determine the effectiveness of the obfuscated payload on the target machines using both static and dynamic analysis

show abstract

Section: Results and Analysis 31 Test Results Using The Virustotal We...supporting

confidence: 88%

Section: Introductionmentioning

confidence: 99%

Evading Antivirus Software Detection Using Python and PowerShell Obfuscation Framework

Aditiawarman,

Dody,

Mantoro

et al. 2023

matrik

View full text Add to dashboard Cite

show abstract

“…A potential avenue for future research is the exploration and analysis of discrepancies between the Extent and EndBlock ASTs. The analysis can be performed by machine learning and would analyze the patterns and structures of ASTs as well as the relationships between different nodes in the tree [25][26][27][28]. By leveraging machine learning algorithms, it may be possible to develop predictive models that can identify previously unseen techniques like ScriptBlock Smuggling.…”

Section: Future Workmentioning

confidence: 99%

ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and .NET Environments

Rose,

Graham,

Schubert Kabban

et al. 2024

JCP

View full text Add to dashboard Cite

The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and .NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell’s ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI’s capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and .NET environments.

show abstract

“…Using the novel idea with DL, they successfully identify common intrinsic patterns of PowerShell codes and distinguish malware families. Song et al [25] try to optimize feature selection with a mixture of token-based and AST-based keyword extraction. By combining the vocabulary and structure of PowerShell code, the performance in detecting malicious PowerShell is increased.…”

Section: A Detection Of Malicious Powershellmentioning

confidence: 99%

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

Tsai

Lin

et al. 2023

IEEE Access

View full text Add to dashboard Cite

In recent years, PowerShell has become the common tool that helps attackers launch targeted attacks using living-off-the-land tactics and fileless attack techniques. Unfortunately, malwarederived PowerShell Commands (PSCmds) have typically been obfuscated to hide the malicious intent from detection and analysis. Also, malicious PSCmds' expansive use of multiple obfuscation strategies and encryption methods makes them difficult to be revealed. Despite the advances in malicious PSCmds detection incorporating new approaches such as machine learning and deep learning, there is still no consensus on the solution to de-obfuscating malicious PSCmds and profiling their behavior. To address this challenge, we propose a hybrid framework that combines deep learning and program analysis for automatic PowerShell De-obfuscation and behavioral Profiling (PowerDP) through multi-label classification in a static manner. First, we use character distribution features to forecast obfuscation types of malicious PSCmds. Second, we developed an extensive de-obfuscator utilizing static regular expression replacement to recover the original content of obfuscated PSCmds based on the predicted obfuscation types. Finally, we profile the behavior of PSCmds by features extracted from the abstract syntax tree of PSCmds after deobfuscation. Our results show that PowerDP achieves a promising 99.82% accuracy and 0.18% hamming loss in obfuscation multi-label classification using deep learning. Furthermore, the successful recovery rate of the de-obfuscator against 15 obfuscation types is 98.11% on average with semantic similarity comparison, and the accuracy of the behavior multi-label classification for identifying 5 behaviors in malicious PSCmds averages 98.53%. The evaluation indicates that PowerDP is able to classify and profile complicated PSCmds.INDEX TERMS PowerShell, de-obfuscation, machine learning, deep learning, abstract syntax trees, multi-label classification, behavioral profiling 1 https://attack.mitre.org/matrices/enterprise/ documents are still the best combinations for malware delivery media. Because people remain susceptible to manipulation, human psychological weaknesses result in the main vulnerabilities that can be exploited through social engineering, e.g., spear-phishing attacks. In this scenario, attackers typically attached a well-customized malicious document containing PowerShell Commands (PSCmds) to a forged email. Additionally, impersonation is often used in sender names or contact information to lure targets into opening malicious files.Living-off-the-Land (LotL) tactics and fileless attack VOLUME 0, 2022

show abstract

Evaluations of AI‐based malicious PowerShell detection with feature optimizations

Cited by 13 publications

References 7 publications

Evading Antivirus Software Detection Using Python and PowerShell Obfuscation Framework

Evading Antivirus Software Detection Using Python and PowerShell Obfuscation Framework

ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and .NET Environments

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

Contact Info

Product

Resources

About