Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images

<table class="table-group" id="tab1"><tr><td><table class="table"><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr class="thead"><td class="align_left">Obfuscation techniques group</td><td class="align_center">Description</td></tr><tr><td class="thead-hr" colspan="2"><hr/></td></tr><tr><td class="align_left">Encoding</td><td class="align_center">These techniques rely on different encodings to obfuscate the code. In our experiments, we chose ASCII encoding-based obfuscation.</td></tr><tr><td class="align_left">Token</td><td class="align_center">Within this group, it is possible to obfuscate different tokens. Each token has different available obfuscation levels (e.g., ‘argument’ 1–4, ‘command’ 1–3, ‘comment’ 1, ‘member’ 1–4, ‘string’ 1-2, etc.). For our purposes, we selected all token obfuscation functions in random order at the highest obfuscation level.</td></tr><tr><td class="align_left">String</td><td class="align_center">Such methods perform obfuscation via string concatenation or reordering. For our evaluation purposes, we chose the string delimited and concatenated technique.</td></tr><tr><td class="align_left">AbstractSyntaxTree</td><td class="align_center">In this class, the obfuscation process uses AbstractSyntaxTree-based rules.</td></tr><tr class="table-tr"><td colspan="2"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Groups of obfuscation techniques as introduced in [<a href="/journals/scn/2022/4477317/#B22" target="_blank">22</a>].</div>

Security and Communication Networks

tab1

Table 1

Table 1: Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images 