Invoke-Deobfuscation: AST-Based and Semantics-Preserving Deobfuscation for PowerShell Scripts

Chai, Huajun; Ying, Lingyun; Duan, Haixin; Zha, Daren

doi:10.1109/dsn53405.2022.00039

Cited by 6 publications

(1 citation statement)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the other hand, recently emerging techniques such as Machine Learning (ML) and Deep Learning (DL) have shown that they could offer researchers alternative solutions [18]- [21] for developing cutting-edge methods to combat cybersecurity challenges. In general, several studies achieve better performance than traditional signature scanning and execution monitoring mechanisms, including detection with vector representation features from Abstract Syntax Tree (AST) [22]- [26], Natural Language Processing (NLP) [27]- [30], and Graph Neural Network (GNN) [31] inference to differentiate between malicious and benign scripts. However, to the best of our knowledge, previous studies by ML and DL cannot be considered conclusive as they mainly focus on binary classification that discriminates malicious PSCmds from benign ones, and often fail to reveal semantics or malicious intent behind the obfuscated PSCmds.…”

Section: Introductionmentioning

confidence: 99%

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

Tsai

Lin

et al. 2023

IEEE Access

View full text Add to dashboard Cite

In recent years, PowerShell has become the common tool that helps attackers launch targeted attacks using living-off-the-land tactics and fileless attack techniques. Unfortunately, malwarederived PowerShell Commands (PSCmds) have typically been obfuscated to hide the malicious intent from detection and analysis. Also, malicious PSCmds' expansive use of multiple obfuscation strategies and encryption methods makes them difficult to be revealed. Despite the advances in malicious PSCmds detection incorporating new approaches such as machine learning and deep learning, there is still no consensus on the solution to de-obfuscating malicious PSCmds and profiling their behavior. To address this challenge, we propose a hybrid framework that combines deep learning and program analysis for automatic PowerShell De-obfuscation and behavioral Profiling (PowerDP) through multi-label classification in a static manner. First, we use character distribution features to forecast obfuscation types of malicious PSCmds. Second, we developed an extensive de-obfuscator utilizing static regular expression replacement to recover the original content of obfuscated PSCmds based on the predicted obfuscation types. Finally, we profile the behavior of PSCmds by features extracted from the abstract syntax tree of PSCmds after deobfuscation. Our results show that PowerDP achieves a promising 99.82% accuracy and 0.18% hamming loss in obfuscation multi-label classification using deep learning. Furthermore, the successful recovery rate of the de-obfuscator against 15 obfuscation types is 98.11% on average with semantic similarity comparison, and the accuracy of the behavior multi-label classification for identifying 5 behaviors in malicious PSCmds averages 98.53%. The evaluation indicates that PowerDP is able to classify and profile complicated PSCmds.INDEX TERMS PowerShell, de-obfuscation, machine learning, deep learning, abstract syntax trees, multi-label classification, behavioral profiling 1 https://attack.mitre.org/matrices/enterprise/ documents are still the best combinations for malware delivery media. Because people remain susceptible to manipulation, human psychological weaknesses result in the main vulnerabilities that can be exploited through social engineering, e.g., spear-phishing attacks. In this scenario, attackers typically attached a well-customized malicious document containing PowerShell Commands (PSCmds) to a forged email. Additionally, impersonation is often used in sender names or contact information to lure targets into opening malicious files.Living-off-the-Land (LotL) tactics and fileless attack VOLUME 0, 2022

show abstract