Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their
malware ecosystem, mostly delivered and executed by malicious binaries
and documents. Of malware that uses PowerShell, the most prevalent use
is the garden-variety stager: an executable or document macro that
launches PowerShell to download another executable and run it. There
has been significant development and innovation in the field of
offensive PowerShell techniques. While defenders and products have
implemented greater
PowerShell visibility
and improved detection, the offensive
PowerShell community has adapted their tools to avoid signature-based
detections. Part of this response has come through an increased use of
content obfuscation – a technique long employed at both the binary and
content level by traditional malware authors.

In our Revoke-Obfuscation
white paper
, first presented at Black Hat USA 2017, we provide
background on obfuscated PowerShell attacks seen in the wild, as well
as defensive mitigation and logging best practices. We then make the
case for the inefficiencies of static detection by exploring the many
layers of obfuscation now available to attackers for launching
PowerShell scripts, shortening and complicating commands contained
within the scripts, manipulating strings, and using alternate and
obscure methods to evade defenders. We then present a number of unique
approaches for interpreting, categorizing, and processing obfuscated
PowerShell attributes in order to build a framework for high fidelity
obfuscation detection. To support our research, we collected an
unprecedented PowerShell data corpus comprised of 408,000 scripts –
including 7,000 manually-reviewed and labeled scripts – from a vast
set of sources, both public and previously unavailable. In addition to
releasing the PowerShell data corpus, we have released the Revoke-Obfuscation
framework
, which has been used in numerous Mandiant
investigations, to assist the security community in classifying
PowerShell scripts’ obfuscation at scale.

Download the Revoke-Obfuscation
white paper
today, and also check out our presentation from
Black Hat USA 2017
.

Revoke-Obfuscation is the result of industry research collaboration
between Daniel Bohannon (@danielhbohannon), Senior
Applied Security Researcher at Mandiant/FireEye, and Lee Holmes (@Lee_Holmes
), Lead
Security Architect of Azure Management at 

Microsoft
.

*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html