Portal de Periódicos da CAPES

Efficient Detection and Recovery of Malicious PowerShell Scripts Embedded into Digital Images

2022; Hindawi Publishing Corporation; Volume: 2022; Linguagem: Inglês

10.1155/2022/4477317

1939-0114

Andreas Schaffhauser, Wojciech Mazurczyk, Luca Caviglione, Marco Zuppelli, Julio Hernández-Castro,

Advanced Steganography and Watermarking Techniques

Due to steady improvements in defensive systems, malware developers are turning their attention to mechanisms for cloaking attacks as long as possible. A recent trend exploits techniques like Invoke-PSImage, which allows embedding a malicious script within an innocent-looking image, for example, to smuggle data into compromised devices. To address such a class of emerging threats, new mechanisms are needed, since standard tools fail in their detection or offer poor performance. To this aim, this work introduces Mavis, an efficient and highly accurate method for detecting hidden payloads, retrieving the embedded information, and estimating its size. Experimental results collected by considering real-world malicious PowerShell scripts showcase that Mavis can detect attacks with a high accuracy (100%) while keeping the rate of false positives and false negatives very low (0.01% and 0%, respectively). The proposed approach outperforms other solutions available in the literature or commercially through “as a service” model.