Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to download another executable and run it. There has been significant development and innovation in the field of offensive PowerShell techniques. While defenders and products have implemented greater PowerShell visibility and improved detection, the offensive PowerShell community has adapted their tools to avoid signature-based detections. Part of this response has come through an increased use of content obfuscation – a technique long employed at both the binary and content level by traditional malware authors.
In our Revoke-Obfuscation white paper, first presented at Black Hat USA 2017, we provide background on obfuscated PowerShell attacks seen in the wild, as well as defensive mitigation and logging best practices. We then make the case for the inefficiencies of static detection by exploring the many layers of obfuscation now available to attackers for launching PowerShell scripts, shortening and complicating commands contained within the scripts, manipulating strings, and using alternate and obscure methods to evade defenders. We then present a number of unique approaches for interpreting, categorizing, and processing obfuscated PowerShell attributes in order to build a framework for high fidelity obfuscation detection. To support our research, we collected an unprecedented PowerShell data corpus comprised of 408,000 scripts – including 7,000 manually-reviewed and labeled scripts – from a vast set of sources, both public and previously unavailable. In addition to releasing the PowerShell data corpus, we have released the Revoke-Obfuscation framework, which has been used in numerous Mandiant investigations, to assist the security community in classifying PowerShell scripts’ obfuscation at scale.
Revoke-Obfuscation is the result of industry research collaboration between Daniel Bohannon (@danielhbohannon), Senior Applied Security Researcher at Mandiant/FireEye, and Lee Holmes (@Lee_Holmes), Lead Security Architect of Azure Management at Microsoft.