Transformer-Based Original Content Recovery from Obfuscated PowerShell Scripts

Transformer-Based Original Content Recovery from Obfuscated PowerShell Scripts

연구 분야: Strategies

학회: International Conference on Neural Information Processing

Microsoft PowerShell is a scripting language and a command-line utility, widely used by professionals to automate tasks and to manage system services. Due to the fact of its prevalence, it was recently seen abused by malicious parties in their offensive operations. Unfortunately, antimalware software is often helpless with PowerShell scripts, as each copy of the script can be unique thanks to obfuscation techniques. Obfuscation is a process of altering the source code through various transformations so that the syntax changes, but the program’s operation is unaffected. The technique is nowadays mostly used by attackers to prevent their code from being flagged as malicious and to impede its analysis. Most of the current solutions to recover the original content from obfuscated scripts are based on human-written algorithms, which make them difficult to maintain and prone to errors. We present a solution to deal with obfuscated code by a Transformer-based model operating on a character level to reverse the obfuscation process. We do it on the example of obfuscated PowerShell commands, but the method is generic so that it can be used for other scripting languages as well. We were able to successfully recover full content in 92% cases and recover at least 90% of the content in 100% cases. The most important aspect of our approach is the ability to almost fully automate the process of creating a deobfuscator.