Skip to main content
SpringerLink
Log in

PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Anckaert, B., Madou, M., Sutter, B.D., Bus, B.D., Bosschere, K.D., Preneel, B.: Program obfuscation: a quantitative approach. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, QoP 2007, pp. 15–20. ACM, New York (2007)

    Google Scholar 

  2. Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 343–355. ACM, New York (2016)

    Google Scholar 

  3. Bohannon, D.: Invoke-obfuscation. https://github.com/danielbohannon/Invoke-Obfuscation

  4. Bohannon, D., Holmes, L.: Revoke-obfuscation (2017). https://github.com/danielbohannon/Revoke-Obfuscation

  5. Bohannon, D., Holmes, L.: Revoke-obfuscation: powershell obfuscation detection using science (2017). https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf

  6. Security Boulevard. Following a trail of confusion: PowerShell in malicious office documents (2018). https://www.bromium.com/powershell-malicious-office-documents/

  7. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report 148, Department of Computer Sciences, The University of Auckland, July 1997

    Google Scholar 

  8. Coogan, K., Lu, G., Debray, S.K.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 275–284. ACM, New York (2011)

    Google Scholar 

  9. ESET. VBA dynamic hook (2016). https://github.com/eset/vba-dynamic-hook

  10. FireEye. Malicious PowerShell detection via machine learning, July 2018. https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html

  11. O’Reilly, U.-M., Rusak, G., Al-Dujaili, A.: Poster: AST-based deep learning for detecting malicious PowerShell. CoRR, abs/1810.09230 (2018)

    Google Scholar 

  12. Google. Virustotal. https://www.virustotal.com

  13. Grant, D.: Deobfuscating PowerShell: putting The toothpaste back in the tube, October 2018. https://www.endgame.com/blog/technical-blog/deobfuscating-powershell-putting-toothpaste-back-tube

  14. Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 2018, pp. 187–197. ACM, New York (2018)

    Google Scholar 

  15. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 18. USENIX Association, Berkeley (2004)

    Google Scholar 

  16. Malwarebytes. State of Malware Report (2019). https://resources.malwarebytes.com/files/2019/01/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf

  17. McAfee. Fileless malware execution with PowerShell is easier than you may realize (2017). https://www.mcafee.com/enterprise/en-us/assets/solution-briefs/sb-fileless-malware-execution.pdf

  18. McAfee. Labs Threats Report, September 2018. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sep-2018.pdf

  19. Microsoft Corporation. PowerShell. https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6

  20. PaloAlto. Pulling back the curtains on encoded command PowerShell attacks (2017). https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/

  21. PDQ. Powershell Commands List. https://www.pdq.com/powershell/

  22. R3RUM. Psdecode (2018). https://github.com/R3MRUM/PSDecode

  23. Rapid7. Metasploit. https://www.metasploit.com

  24. Rousseau, A.: Hijacking.net to defend PowerShell. CoRR, abs/1709.07508 (2017)

    Google Scholar 

  25. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 94–109, May 2009

    Google Scholar 

  26. Sophos. SophosLabs 2019 Threat Report (2018). https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf

  27. Symantec. Internet Security Threat Report, March 2018. https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

  28. Trustedsec. Social engineering toolkit. https://github.com/trustedsec/social-engineer-toolkit

  29. Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: 12th Working Conference on Reverse Engineering (WCRE 2005), 10 pp.-54, November 2005

    Google Scholar 

  30. Ugarte, D.: Powerdrive (2019). https://github.com/denisugarte/PowerDrive

  31. Wong, M.Y., Lie, D.: Tackling runtime-based obfuscation in android with TIRO. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018, pp. 1247–1262. USENIX Association, Berkeley (2018)

    Google Scholar 

  32. Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.K.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674–691, May 2015

    Google Scholar 

Download references

Acknowledgements

This work was partially supported by the INCLOSEC (funded by Sardegna Ricerche - CUPs G88C17000080006) and PISDAS (funded by Regione Autonoma della Sardegna - CUP E27H14003150007) projects.

Author information

Authors and Affiliations

  1. Department of Electrical and Electronic Engineering, University of Cagliari, Cagliari, Italy

    Denis Ugarte, Davide Maiorca, Fabrizio Cara & Giorgio Giacinto

Authors
  1. Denis Ugarte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Davide Maiorca
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fabrizio Cara
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Giorgio Giacinto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Davide Maiorca .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ugarte, D., Maiorca, D., Cara, F., Giacinto, G. (2019). PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation