A simple scanner for PowerShell scripts to detect malicious capablities.
This program is a tool written in Python to scan a given file for high fidelity PowerShell strings commonly abused by threat actors in malicious ps1 scripts. It seeks out indicators from 4 main categories:
- Obfuscation/Encoding - base64, Bitwise XOR, Hex
- Evasion/Bypass - Evasion of execution policies, Windows Defender alterations, AMSI bypass
- FileSystem - Creation and deletion of files
- Networking - Connect, downloads and web request capabilities
Added MD5sum functionalities for file input. Pending: Base64 decoding functionality before scanning Currently still working to expand the indicators sets in the json library. Feel free to contribute!
python Powershell_Analyzer.py -f <FILE>
- Improve the json database for high fidelity commonly abused PowerShell strings found in malware/malicious scripts
- Enrichment using VirusTotal on the MD5 hash extracted for the file
- Serve as a module for a more comprehensive all-in-one malware/file analyzer