Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images

<table class="table-group" id="tab7"><tr><td><table class="table"><tr><td class="thead-hr" colspan="6"><hr/></td></tr><tr class="thead"><td class="align_center" colspan="6">Invoke-PSImage Mode-1</td></tr><tr><td class="thead-hr" colspan="6"><hr/></td></tr><tr><td class="align_left">Scripts</td><td class="align_center">Correct detec.</td><td class="align_center">FN rate</td><td class="align_center"><svg height="14.3671pt" id="M119" style="vertical-align:-3.2911pt" version="1.1" viewbox="-0.0498162 -11.076 10.1338 14.3671" width="10.1338pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><rect height="0.65243" width="10.0341" x="0" y="-10.3737"></rect><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,4.368,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z"></path></g></svg> (ms)</td><td class="align_center">Conf. level</td><td class="align_center">Score</td></tr><tr><td class="align_left">Deobfuscated</td><td class="align_center">3064/4641 (66.02%)</td><td class="align_center">1577/4641 (33.98%)</td><td class="align_center">5.59</td><td class="align_center">Low: 0, medium: 2055, high: 2586</td><td class="align_center">544.07</td></tr><tr><td class="align_left">Obfuscated</td><td class="align_center">822/4018 (20.46%)</td><td class="align_center">3196/4018 (79.54%)</td><td class="align_center">17.35</td><td class="align_center">Low: 0, medium: 3892, high: 126</td><td class="align_center">100.83</td></tr><tr><td class="align_left"><b>Overall</b></td><td class="align_center"><b>44.88%</b></td><td class="align_center"><b>55.12%</b></td><td class="align_center"><b>11.47</b></td><td class="align_center"><b>N/A</b></td><td class="align_center"><b>322.45</b></td></tr><tr><td class="align_left" colspan="6"><hr/></td></tr><tr><td class="align_center" colspan="6">Invoke-PSImage Mode-2</td></tr><tr><td class="align_left">Scripts</td><td class="align_center">Correct detec.</td><td class="align_center">FN rate</td><td class="align_center"><svg height="14.3671pt" id="M120" style="vertical-align:-3.2911pt" version="1.1" viewbox="-0.0498162 -11.076 10.1338 14.3671" width="10.1338pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><rect height="0.65243" width="10.0341" x="0" y="-10.3737"></rect><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M324 430H196L233 583L223 592L145 529L120 430H54L29 396L31 388H111L56 126C33 15 54 -12 77 -12C137 -12 214 57 250 95L233 119C208 92 155 59 138 59C126 59 120 70 131 125L186 390L298 394L324 430Z"></path></g><g transform="matrix(.0091,0,0,-0.0091,4.368,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z"></path></g></svg> (ms)</td><td class="align_center">Conf. level</td><td class="align_center">Score</td></tr><tr><td class="align_left">Deobfuscated</td><td class="align_center">4482/5000 (89.64%)</td><td class="align_center">518/5000 (10.36%)</td><td class="align_center">1343.29</td><td class="align_center">Low: 0, medium: 2476, high: 2524</td><td class="align_center">426.87</td></tr><tr><td class="align_left">Obfuscated</td><td class="align_center">4365/5000 (87.3%)</td><td class="align_center">635/5000 (12.7%)</td><td class="align_center">1337.54</td><td class="align_center">Low: 0, medium: 2476, high: 2524</td><td class="align_center">417.26</td></tr><tr><td class="align_left"><b>Overall</b></td><td class="align_center"><b>88.47%</b></td><td class="align_center"><b>11.53%</b></td><td class="align_center"><b>1340.41</b></td><td class="align_center"><b>N/A</b></td><td class="align_center"><b>422.06</b></td></tr><tr><td class="align_left" colspan="6"><hr/></td></tr><tr><td class="align_left">Clean</td><td class="align_center">4927/5000 (98.54%)</td><td class="align_center">3/5000 (1.46%)</td><td class="align_center">1097.37</td><td class="align_center">Low: 0, medium: 4991, high: 9</td><td class="align_center">32.03</td></tr><tr class="table-tr"><td colspan="6"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Detection results for McAfee SAT (only files of size 256 × 256 can be tested).</div>

Security and Communication Networks

tab7

Table 7

Table 7: Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images 