Skip to Main content Skip to Navigation
New interface
Conference papers

IMShell-Dec: Pay More Attention to External Links in PowerShell

Abstract : Windows proposes the PowerShell shell command line to substitute the traditional CMD. However, it is often utilized by the attacker to invade the victim because of its versatile functionality. In this paper, we investigate an attack combined PowerShell and image steganography. Compared with the traditional method, this attack can deceive the defender by hiding its malicious contents in benign images. To effectively detect this attack, we propose a framework IMShell-Dec, whose main target is to check external links before the execution of PowerShell script. IMShell-Dec trains a machine learning classifier with image examples, where the features are generated by merging histograms of three image color channels. Then IMShell-Dec examines the script through tracking and classifying the related images. The detector achieves more than 95% precision in 9,589 high-definition images.
Document type :
Conference papers
Complete list of metadata

https://hal.inria.fr/hal-03440834
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Monday, November 22, 2021 - 3:33:02 PM
Last modification on : Wednesday, December 15, 2021 - 12:42:02 PM
Long-term archiving on: : Wednesday, February 23, 2022 - 7:58:23 PM

File

 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2023-01-01

Please log in to resquest access to the document

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Collections

Citation

Ruidong Han, Chao Yang, Jianfeng Ma, Siqi Ma, Yunbo Wang, et al.. IMShell-Dec: Pay More Attention to External Links in PowerShell. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.189-202, ⟨10.1007/978-3-030-58201-2_13⟩. ⟨hal-03440834⟩

Share

Metrics

Record views

16