Detecting Malicious PowerShell Commands using Deep Neural Networks

  • 2018-04-11 19:16:03
  • Danny Hendler, Shay Kels, Amir Rubin
  • 235

Abstract

Microsoft's PowerShell is a command-line shell and scripting language that isinstalled by default on Windows machines. While PowerShell can be configured byadministrators for restricting access and reducing vulnerabilities, theserestrictions can be bypassed. Moreover, PowerShell commands can be easilygenerated dynamically, executed from memory, encoded and obfuscated, thusmaking the logging and forensic analysis of code executed by PowerShellchallenging.For all these reasons, PowerShell is increasingly used bycybercriminals as part of their attacks' tool chain, mainly for downloadingmalicious contents and for lateral movement. Indeed, a recent comprehensivetechnical report by Symantec dedicated to PowerShell's abuse by cybercrimialsreported on a sharp increase in the number of malicious PowerShell samples theyreceived and in the number of penetration tools and frameworks that usePowerShell. This highlights the urgent need of developing effective methods fordetecting malicious PowerShell commands.In this work, we address this challengeby implementing several novel detectors of malicious PowerShell commands andevaluating their performance. We implemented both "traditional" naturallanguage processing (NLP) based detectors and detectors based oncharacter-level convolutional neural networks (CNNs). Detectors' performancewas evaluated using a large real-world dataset.Our evaluation results showthat, although our detectors individually yield high performance, an ensembledetector that combines an NLP-based classifier with a CNN-based classifierprovides the best performance, since the latter classifier is able to detectmalicious commands that succeed in evading the former. Our analysis of theseevasive commands reveals that some obfuscation patterns automatically detectedby the CNN classifier are intrinsically difficult to detect using the NLPtechniques we applied.

 

Introduction (beta)

None

 

Conclusion (beta)

None