Investigating representations of obfuscated malicious PowerShell
Author(s)Holz, Carolyn J.
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science.
Una-May O'Reilly and Erik Hemberg.
MetadataShow full item record
PowerShell is a popular scripting language due to its widespread use and access to critical system functions. However, these factors also contribute to its popularity amongst malware creators. In addition to the extensive access they can achieve with PowerShell, attackers can also obfuscate their PowerShell to make it more difficult to detect. Current detection methods rely on detecting signatures of known malicious scripts which can be easily broken with simple obfuscations. This work seeks to find a more abstract representation of script functionality using Abstract Syntax Trees so that an unseen obfuscated script can be detected if a related script is already known malware. We determine that simple AST based features such as node count and depth along with distance measures calculated from the node types and node orders within the AST are fairly sufficient to attribute obfuscated scripts to their originating script.
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2019Cataloged from student-submitted PDF version of thesis.Includes bibliographical references (page 54).
DepartmentMassachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Massachusetts Institute of Technology
Electrical Engineering and Computer Science.