The goal of Revoke-Obfuscation research and these frameworks was to highlight the limitations of a purely signature-based approach to detecting attackers’ usage of PowerShell. The core message to defenders has been to focus on detecting Indicators of Obfuscation in addition to known suspicious syntax.
However, the extreme levels of randomization in Invoke-Obfuscation and Invoke-CradleCrafter paired with the token-layer obfuscation options that are not deobfuscated in PowerShell’s script block logging have led defenders to look for a new, scalable means of generically detecting both known and unknown obfuscation techniques.
Revoke-Obfuscation is an open-source PowerShell v3.0+ framework for detecting obfuscated PowerShell commands and scripts at scale. It relies on PowerShell’s AST (Abstract Syntax Tree) to rapidly extract thousands of features from any input PowerShell script and compare this feature vector against one of several pre-defined weighted feature vectors computed through an automated learning process conducted against a corpus of 408K+ PowerShell scripts. This full corpus can be downloaded from (https://aka.ms/PowerShellCorpus). Stay tuned for the publishing of the labeled data and the tooling used for training.
Since Revoke-Obfuscation relies on feature extraction and comparison instead of pure IOCs or RegEx matching, it is more robust in its ability to identify unknown obfuscation techniques even when attackers attempt to subdue their obfuscation by padding it with unobfuscated script contents to overthrow basic checks like character frequency analysis.
Use and Download:
git clone https://github.com/danielbohannon/Revoke-Obfuscation && cd Revoke-Obfuscation