In recent years, PowerShell has increasingly been reported as appearing in a variety of cyber attacks. However, because the PowerShell language is dynamic by design and can construct script fragments at different levels, state-of-the-art static analysis based PowerShell attack detection approaches are inherently vulnerable to obfuscations. In this paper, we design the first generic, effective, and lightweight deobfuscation approach for PowerShell scripts. To precisely identify the obfuscated script fragments, we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology. Furthermore, we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures. The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5％to 93.2％. By deploying our deobfuscation method, the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33％ and 2.65％ to 78.9％ and 94.0％, respectively. Moreover, our detection system outperforms both existing tools with a 96.7％true positive rate and a 0％false positive rate on average.

Chunlin XIONG;Zhenyuan LI;Yan CHEN;Tiantian ZHU;Jian WANG;Hai YANG;Wei RUAN

College of Computer Science and Technology,Zhejiang University,Hangzhou 310027,China;Department of Electrical Engineering and Computer Science,Northwestern University,Evanston,IL 60208,USA;College of Computer Science and Technology,Zhejiang University of Technology,Hangzhou 310023,China;Magic Shield Co.,Ltd.,Hangzhou 310027,China;College of Control Science and Engineering,Zhejiang University,Hangzhou 310027,China

信息与电子工程前沿（英文）

[1]Chunlin XIONG;Zhenyuan LI;Yan CHEN;Tiantian ZHU;Jian WANG;Hai YANG;Wei RUAN-.Generic, efficient, and effective deobfuscation and semantic-aware attack detection for PowerShell scripts)[J].信息与电子工程前沿（英文）,2022(03):361-381

deobfuscation,obfuscations,obfuscated,obfuscation,Defender,VirusTotal

Generic,efficient,effective,semantic,aware,detection,PowerShell,scripts,In,recent,years,has,increasingly,been,reported,appearing,variety,cyber,attacks,However,because,language,dynamic,by,design,can,construct,fragments,different,levels,state,art,static,analysis,approaches,inherently,vulnerable,this,paper,first,generic,lightweight,precisely,identify,define,differences,impacts,abstract,syntax,trees,propose,novel,emulation,recovery,technology,Furthermore,system,that,leverages,classic,objective,oriented,association,mining,algorithm,newly,identifies,signatures,experimental,results,benign,samples,malicious,show,our,method,takes,less,than,average,increases,similarity,between,original,from,By,deploying,rates,Windows,substantially,respectively,Moreover,outperforms,both,existing,tools,true,positive,false

0.511935