IMShell-Dec: Pay More Attention to External Links in PowerShell - ICT Systems Security and Privacy Protection
Conference Papers Year : 2020

IMShell-Dec: Pay More Attention to External Links in PowerShell

Ruidong Han
  • Function : Author
  • PersonId : 1117602
Chao Yang
  • Function : Author
  • PersonId : 1117603
Jianfeng Ma
  • Function : Author
  • PersonId : 993514
Yunbo Wang
  • Function : Author
  • PersonId : 1117605
Feng Li
  • Function : Author
  • PersonId : 1117606

Abstract

Windows proposes the PowerShell shell command line to substitute the traditional CMD. However, it is often utilized by the attacker to invade the victim because of its versatile functionality. In this paper, we investigate an attack combined PowerShell and image steganography. Compared with the traditional method, this attack can deceive the defender by hiding its malicious contents in benign images. To effectively detect this attack, we propose a framework IMShell-Dec, whose main target is to check external links before the execution of PowerShell script. IMShell-Dec trains a machine learning classifier with image examples, where the features are generated by merging histograms of three image color channels. Then IMShell-Dec examines the script through tracking and classifying the related images. The detector achieves more than 95% precision in 9,589 high-definition images.
Fichier principal
Vignette du fichier
497034_1_En_13_Chapter.pdf (2.18 Mo) Télécharger le fichier
Origin Files produced by the author(s)

Dates and versions

hal-03440834 , version 1 (22-11-2021)

Licence

Identifiers

Cite

Ruidong Han, Chao Yang, Jianfeng Ma, Siqi Ma, Yunbo Wang, et al.. IMShell-Dec: Pay More Attention to External Links in PowerShell. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.189-202, ⟨10.1007/978-3-030-58201-2_13⟩. ⟨hal-03440834⟩
49 View
85 Download

Altmetric

Share

More