Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images
Table 1
Groups of obfuscation techniques as introduced in [22].
Obfuscation techniques group
Description
Encoding
These techniques rely on different encodings to obfuscate the code. In our experiments, we chose ASCII encoding-based obfuscation.
Token
Within this group, it is possible to obfuscate different tokens. Each token has different available obfuscation levels (e.g., ‘argument’ 1–4, ‘command’ 1–3, ‘comment’ 1, ‘member’ 1–4, ‘string’ 1-2, etc.). For our purposes, we selected all token obfuscation functions in random order at the highest obfuscation level.
String
Such methods perform obfuscation via string concatenation or reordering. For our evaluation purposes, we chose the string delimited and concatenated technique.
AbstractSyntaxTree
In this class, the obfuscation process uses AbstractSyntaxTree-based rules.