Search for malicious powershell scripts using syntax trees

Abstract

Purpose of the paper: a search for a rather abstract representation of the PowerShell script functionality using abstract syntax trees such that an invisible obfuscated PowerShell script can be detected provided the associated PowerShell script is already known malware. Research method: PowerShell script obfuscation analysis is performed on three types of obfuscation: token, string, and abstract syntax tree. The obtained result: 1) we have found that simple PowerShell AST-based features, such as the number of AST functions and their distributed depth, as well as the AST similarity obfuscation distance parameter calculated from the types of functions and their location in the AST are sufficient to attribute obfuscated PowerShell scripts to their original script, not subject to obfuscation; 2) a method for creating an extended data set of obfuscated PowerShell is described and implemented including marking source files; 3) an extensive analysis of the data set and several functions are provided to represent the PowerShell structure.