Abstract
PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anckaert, B., Madou, M., Sutter, B.D., Bus, B.D., Bosschere, K.D., Preneel, B.: Program obfuscation: a quantitative approach. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, QoP 2007, pp. 15–20. ACM, New York (2007)
Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 343–355. ACM, New York (2016)
Bohannon, D.: Invoke-obfuscation. https://github.com/danielbohannon/Invoke-Obfuscation
Bohannon, D., Holmes, L.: Revoke-obfuscation (2017). https://github.com/danielbohannon/Revoke-Obfuscation
Bohannon, D., Holmes, L.: Revoke-obfuscation: powershell obfuscation detection using science (2017). https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf
Security Boulevard. Following a trail of confusion: PowerShell in malicious office documents (2018). https://www.bromium.com/powershell-malicious-office-documents/
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report 148, Department of Computer Sciences, The University of Auckland, July 1997
Coogan, K., Lu, G., Debray, S.K.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 275–284. ACM, New York (2011)
ESET. VBA dynamic hook (2016). https://github.com/eset/vba-dynamic-hook
FireEye. Malicious PowerShell detection via machine learning, July 2018. https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html
O’Reilly, U.-M., Rusak, G., Al-Dujaili, A.: Poster: AST-based deep learning for detecting malicious PowerShell. CoRR, abs/1810.09230 (2018)
Google. Virustotal. https://www.virustotal.com
Grant, D.: Deobfuscating PowerShell: putting The toothpaste back in the tube, October 2018. https://www.endgame.com/blog/technical-blog/deobfuscating-powershell-putting-toothpaste-back-tube
Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 2018, pp. 187–197. ACM, New York (2018)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 18. USENIX Association, Berkeley (2004)
Malwarebytes. State of Malware Report (2019). https://resources.malwarebytes.com/files/2019/01/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf
McAfee. Fileless malware execution with PowerShell is easier than you may realize (2017). https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf
McAfee. Labs Threats Report, September 2018. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sep-2018.pdf
Microsoft Corporation. PowerShell. https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6
PaloAlto. Pulling back the curtains on encoded command PowerShell attacks (2017). https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
PDQ. Powershell Commands List. https://www.pdq.com/powershell/
R3RUM. Psdecode (2018). https://github.com/R3MRUM/PSDecode
Rapid7. Metasploit. https://www.metasploit.com
Rousseau, A.: Hijacking.net to defend PowerShell. CoRR, abs/1709.07508 (2017)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 94–109, May 2009
Sophos. SophosLabs 2019 Threat Report (2018). https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf
Symantec. Internet Security Threat Report, March 2018. https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf
Trustedsec. Social engineering toolkit. https://github.com/trustedsec/social-engineer-toolkit
Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: 12th Working Conference on Reverse Engineering (WCRE 2005), 10 pp.-54, November 2005
Ugarte, D.: Powerdrive (2019). https://github.com/denisugarte/PowerDrive
Wong, M.Y., Lie, D.: Tackling runtime-based obfuscation in android with TIRO. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018, pp. 1247–1262. USENIX Association, Berkeley (2018)
Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.K.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674–691, May 2015
Acknowledgements
This work was partially supported by the INCLOSEC (funded by Sardegna Ricerche - CUPs G88C17000080006) and PISDAS (funded by Regione Autonoma della Sardegna - CUP E27H14003150007) projects.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Ugarte, D., Maiorca, D., Cara, F., Giacinto, G. (2019). PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)