Revoke-Obfuscation: A powerful PowerShell obfuscation detection framework

About Revoke-Obfuscation

Revoke-Obfuscation is a powerful PowerShell obfuscation detection framework, which is developed based on PowerShell and is compatible with PowerShell.
v3.0+ script. With the help of this tool, researchers can easily implement large-scale obfuscation detection of PowerShell commands or scripts.

It relies on PowerShell’s AST (Abstract Syntax Tree) to quickly extract thousands of features from any input PowerShell script and combines that feature vector with a database of more than 400,000 PowerShell scripts.
Corpus for calculation and comparison.

Working mechanism

Thanks to Revoke-
Obfuscation relies on feature extraction and comparison rather than pure IOC or RegEx matching, so it is more powerful in its ability to identify unknown obfuscation techniques, even if an attacker attempts to override basics such as character frequency analysis by filling in unobfuscated script content. Check to suppress its blurring, nor escape Revoke-
Obfuscation’s discernment.

Revoke-Obfuscation can easily detect most input PowerShell scripts in 100-300 milliseconds. And Revoke-
Obfuscation supports a simple whitelist function and can extract PowerShell operation event log records.

Tool installation

Researchers can use the following command to clone the source code of the project locally:

git clone https://github.com/danielbohannon/Revoke-Obfuscation.git

Next, switch to the project directory and run the following command to complete the installation:

Import-Module .\Revoke-Obfuscation.psd1

In addition, we can also install Revoke-Obfuscation directly from the PowerShell Gallery:

Install-Module Revoke-Obfuscation

Import-Module Revoke-Obfuscation

Tool usage

The following commands can perform analysis and detection on EID 4104 script block logs:

Get-RvoScriptBlock -Path 'C:\Windows\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx' -Verbose

Get-ChildItem .\Demo\demo.evtx | Get-RvoScriptBlock -Verbose

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Get-RvoScriptBlock -Verbose

The following command can perform a complete inspection of the data records in demo.evtx:

$obfResults = Get-WinEvent -Path .\Demo\demo.evtx | Get-RvoScriptBlock | Measure-RvoObfuscation -OutputToDisk -Verbose

The following commands perform instrumentation on locally or remotely hosted test scripts:

Measure-RvoObfuscation -Url 'http://bit.ly/DBOdemo1' -Verbose -OutputToDisk

Get-Content .\Demo\DBOdemo*.ps1 | Measure-RvoObfuscation -Verbose -OutputToDisk

Get-ChildItem .\Demo\DBOdemo*.ps1 | Measure-RvoObfuscation -Verbose -OutputToDisk

Screenshot of tool running

Tool usage demonstration

License Agreement

The development and release of this project follows [ Apache -2 . 0](https://github.com /danielbohannon/Revoke-
Obfuscation/blob/master/LICENSE) open source license agreement.

Project address

Revoke-Obfuscation: [
GitHub Portal】

Reference materials

[https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-
powershell.html](https://www.fireeye.com/blog/threat-
research/2017/07/revoke-obfuscation-powershell.html)

[https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-
obfuscation-report.pdf](https://www.fireeye.com/content/dam/fireeye-
www/blog/pdfs/revoke-obfuscation-report.pdf)

https://aka.ms/PowerShellCorpus

uscation-report.pdf)

https://aka.ms/PowerShellCorpus

Digression

Many people who are new to the computer industry or graduates of computer-related majors have encountered obstacles everywhere due to lack of practical experience. Let’s look at two sets of data:

The 2023 national college graduates are expected to reach 11.58 million, and the employment situation is severe;

According to the data released by the National Network Security Publicity Week, by 2027, the shortage of network security personnel in my country will reach 3.27 million.

On the one hand, the employment situation of fresh graduates is severe every year, and on the other hand, there is a gap of one million cyber security talents.

On June 9, the 2023 edition of the Employment Blue Book of MyCOS Research (including the 2023 Employment Report for Undergraduates in China and the Employment Report for Higher Vocational Students in China in 2023) was officially released.

Top 10 Majors with Higher Monthly Salary for 2022 College Graduates

The monthly income of undergraduate computer science majors and higher vocational automation majors is relatively high. The monthly income of the 2022 class of undergraduate computer science and higher vocational automation majors is 6,863 yuan and 5,339 yuan, respectively. Among them, the starting salary of undergraduate computer majors is basically the same as that of the 2021 class, and the monthly income of higher vocational automation majors has increased significantly. The 2022 class of overtaking railway transportation majors (5295 yuan) ranks first.

Specifically, depending on the major, the major with a higher monthly income for undergraduates in 2022 is information security (7579 yuan). Compared with the class of 2018, undergraduate majors related to artificial intelligence, such as electronic science and technology, automation, performed well, and their starting salaries increased by 19% compared with five years ago. Although data science and big data technology are newly added majors in recent years, they have performed well, and have ranked among the top three majors with higher monthly income half a year after graduation for the 2022 class of undergraduates. The only humanities and social science major that entered the top 10 undergraduate high-paying list five years ago-French has dropped out of the top 10.
[External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-sV1nrhlc-1692774440353) (C:\Users\Administrator\AppData\Roaming\Typora\typora-user-images\ image-20230809162658551.png)]

“There is no national security without cybersecurity”. At present, network security has been elevated to the height of national strategy and has become one of the most important factors affecting national security and social stability.

Characteristics of the Internet Security Industry

1. The employment salary is very high, and the salary rises quickly. In 2021, Liepin.com announced that the employment salary in the network security industry is the highest per capita in the industry at 337,700!

2. There is a large talent gap and many employment opportunities

On September 18, 2019, the official website of the “Central People’s Government of the People’s Republic of China” published: my country needs 1.4 million cyberspace security talents, while major schools across the country train less than 1.5 million people each year. Liepin.com’s “Cyber Security Report for the First Half of 2021” predicts that the demand for cyber security talents will be 3 million in 2027, and there are only 100,000 employees currently engaged in the cyber security industry.

The industry has a lot of room for development and many jobs

Since the establishment of the network security industry, dozens of new network security industry positions have been added: network security experts, network security analysts, security consultants, network security engineers, security architects, security operation and maintenance engineers, penetration engineers, information security management Data Security Engineer, Network Security Operations Engineer, Network Security Emergency Response Engineer, Data Appraiser, Network Security Product Manager, Network Security Service Engineer, Network Security Trainer, Network Security Auditor, Threat Intelligence Analysis Engineer, Disaster Recovery Professional , Actual combat offensive and defensive professionals…

Great career potential

The network security major has strong technical characteristics, especially mastering the core network architecture and security technology in the work, which has an irreplaceable competitive advantage in career development.

With the continuous improvement of personal ability, the professional value of the work will also increase with the enrichment of one’s own experience and the maturity of project operation, and the appreciation space is bullish all the way, which is the main reason why it is popular with everyone.

To some extent, in the field of network security, just like the doctor profession, the older you are, the more popular you become. Because the technology becomes more mature, the work will naturally be valued, and promotion and salary increase are a matter of course.

Hacking & amp; Cyber Security How To Learn

Today, as long as you give my article a thumbs-up, I will share my private collection of online security learning materials with you for free, so let’s see what is there.

1. Learning roadmap

The industry has a lot of room for development and many jobs

Great career potential

Hacking & amp; Cyber Security How To Learn

Today, as long as you give my article a thumbs-up, I will share my private collection of online security learning materials with you for free, so let’s see what is there.

1. Learning Roadmap

[External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-kMkoLuIo-1692774440354) (C:\Users\Administrator\Desktop\
etwork Security Mind Map\Xianxue First Annual Salary 40W + Network Security Engineer Bronze to King Technology Growth Route V4.0.png)]

There are also many things to learn in attack and defense. I have written all the specific things to learn in the roadmap above. If you can learn them, you will have no problem getting a job or taking private jobs.

2. Video Tutorial

Although there are many learning resources on the Internet, they are basically incomplete. This is a video tutorial on cyber security recorded by myself. I have a supporting video explanation for every knowledge point in the above roadmap.

The content covers the study of network security law, network security operation and other guarantee assessment, penetration testing basics, detailed explanation of vulnerabilities, basic computer knowledge, etc., which are all learning contents that must be known when getting started with network security.
[External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-S5Vh1fcj-1692774440354) (C:\Users\Administrator\Desktop\Internet Security Information Screenshot\Video Courseware.jpeg) ]

(It’s all packed into one piece and cannot be unfolded one by one. There are more than 300 episodes in total)

Due to limited space, only part of the information is shown, you need to click the link below to get it

If you are interested in getting started with network security, you can click here if you need it Network security heavy benefits: Getting Started & Advanced A full set of 282G learning resource packages is free to share!

3. Technical documents and e-books

The technical documents are also compiled by myself, including my experience and technical points of participating in large-scale network security operations, CTF and SRC vulnerability mining. There are also more than 200 e-books. Due to the sensitivity of the content, I will not show them one by one.

![Mining documents (1)](C:\Users\Administrator\Desktop\Internet security data screenshot\Mining documents (1).png)

Due to limited space, only part of the information is shown, you need to click the link below to get it

4. Toolkit, interview questions and source code

“If you want to do a good job, you must first sharpen your tools.” I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.

There is also the source code of the case and the corresponding toolkit mentioned in my video, which can be taken away if needed.

Due to limited space, only part of the information is shown, you need to click the link below to get it
If you are interested in getting started with network security, you can click here if you need it Network security heavy benefits: Getting Started & Advanced A full set of 282G learning resource packages is free to share!

Finally, there are interview questions about Internet security that I have sorted out in the past few years. If you are looking for a job in Internet security, they will definitely help you a lot.

These questions are often encountered during interviews with Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.

Reference analysis: Sangfor official website, Qi Anxin official website, Freebuf, csdn, etc.

Content features: clear organization, including graphic representation, which is easier to understand.

Summary of content: Including intranet, operating system, protocol, penetration test, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logic vulnerability, tool, SQLmap, NMAP, BP, MSF…

Due to limited space, only part of the information is shown, you need to click the link below to get it