Investigating representations of obfuscated malicious PowerShell
Author(s)
Holz, Carolyn J.
Download1127649508-MIT.pdf (1.720Mb)
Other Contributors
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.
Advisor
Una-May O'Reilly and Erik Hemberg.
Terms of use
Metadata
Show full item recordAbstract
PowerShell is a popular scripting language due to its widespread use and access to critical system functions. However, these factors also contribute to its popularity amongst malware creators. In addition to the extensive access they can achieve with PowerShell, attackers can also obfuscate their PowerShell to make it more difficult to detect. Current detection methods rely on detecting signatures of known malicious scripts which can be easily broken with simple obfuscations. This work seeks to find a more abstract representation of script functionality using Abstract Syntax Trees so that an unseen obfuscated script can be detected if a related script is already known malware. We determine that simple AST based features such as node count and depth along with distance measures calculated from the node types and node orders within the AST are fairly sufficient to attribute obfuscated scripts to their originating script.
Description
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections. Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2019 Cataloged from student-submitted PDF version of thesis. Includes bibliographical references (page 54).
Date issued
2019Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
Massachusetts Institute of Technology
Keywords
Electrical Engineering and Computer Science.