Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts

Chunlin Xiong, Zhenyuan Li, Yan Chen, Tiantian Zhu, Jian Wang, Hai Yang, Wei Ruan*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

4 Scopus citations

Abstract

In recent years, PowerShell has increasingly been reported as appearing in a variety of cyber attacks. However, because the PowerShell language is dynamic by design and can construct script fragments at different levels, state-of-the-art static analysis based PowerShell attack detection approaches are inherently vulnerable to obfuscations. In this paper, we design the first generic, effective, and lightweight deobfuscation approach for PowerShell scripts. To precisely identify the obfuscated script fragments, we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology. Furthermore, we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures. The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5% to 93.2%. By deploying our deobfuscation method, the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33% and 2.65% to 78.9% and 94.0%, respectively. Moreover, our detection system outperforms both existing tools with a 96.7% true positive rate and a 0% false positive rate on average.

Original languageEnglish (US)
Pages (from-to)361-381
Number of pages21
JournalFrontiers of Information Technology and Electronic Engineering
Volume23
Issue number3
DOIs
StatePublished - Mar 2022

Funding

Project supported by the National Natural Science Foundation of China (No. U1936215)

Keywords

  • Abstract syntax tree
  • Malicious script detection
  • Obfuscation and deobfuscation
  • PowerShell
  • TP309

ASJC Scopus subject areas

  • Signal Processing
  • Hardware and Architecture
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts'. Together they form a unique fingerprint.

Cite this