PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.
翻译:PowerShell 攻击与恶意软件使用的其他脚本语言相似, PowerShell 攻击也具有分析挑战性,因为大量使用多种模糊的层层,使真正的恶意代码难以揭开。据我们所知,目前还缺少正确解开此类攻击的全面解决方案。在本文中,我们介绍了PowerDrive,一个开放源码、静态和动态多阶段解构器,用于PowerShell 攻击。PowerShell 代码用于通过向分析员展示所使用的迷惑步骤,逐步解解析它。我们利用PowerDrive成功分析了从各种恶意矢量和可执行中提取的数千次PowerShell攻击。获得的结果显示了攻击者用来设计恶意脚本的有趣模式。此外,我们提供了分析代码期间所接触的行为模型的分类和全面分析列表。