{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:13:35Z","timestamp":1772039615845,"version":"3.50.1"},"publisher-location":"Cham","reference-count":32,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030220372","type":"print"},{"value":"9783030220389","type":"electronic"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-22038-9_12","type":"book-chapter","created":{"date-parts":[[2019,6,9]],"date-time":"2019-06-09T23:02:31Z","timestamp":1560121351000},"page":"240-259","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":23,"title":["PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware"],"prefix":"10.1007","author":[{"given":"Denis","family":"Ugarte","sequence":"first","affiliation":[]},{"given":"Davide","family":"Maiorca","sequence":"additional","affiliation":[]},{"given":"Fabrizio","family":"Cara","sequence":"additional","affiliation":[]},{"given":"Giorgio","family":"Giacinto","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2019,6,6]]},"reference":[{"key":"12_CR1","doi-asserted-by":"crossref","unstructured":"Anckaert, B., Madou, M., Sutter, B.D., Bus, B.D., Bosschere, K.D., Preneel, B.: Program obfuscation: a quantitative approach. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, QoP 2007, pp. 15\u201320. ACM, New York (2007)","DOI":"10.1145\/1314257.1314263"},{"key":"12_CR2","doi-asserted-by":"crossref","unstructured":"Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 343\u2013355. ACM, New York (2016)","DOI":"10.1145\/2976749.2978422"},{"key":"12_CR3","unstructured":"Bohannon, D.: Invoke-obfuscation. \n                      https:\/\/github.com\/danielbohannon\/Invoke-Obfuscation"},{"key":"12_CR4","unstructured":"Bohannon, D., Holmes, L.: Revoke-obfuscation (2017). \n                      https:\/\/github.com\/danielbohannon\/Revoke-Obfuscation"},{"key":"12_CR5","unstructured":"Bohannon, D., Holmes, L.: Revoke-obfuscation: powershell obfuscation detection using science (2017). \n                      https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/blog\/pdfs\/revoke-obfuscation-report.pdf"},{"key":"12_CR6","unstructured":"Security Boulevard. Following a trail of confusion: PowerShell in malicious office documents (2018). \n                      https:\/\/www.bromium.com\/powershell-malicious-office-documents\/"},{"key":"12_CR7","unstructured":"Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Technical report 148, Department of Computer Sciences, The University of Auckland, July 1997"},{"key":"12_CR8","doi-asserted-by":"crossref","unstructured":"Coogan, K., Lu, G., Debray, S.K.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 275\u2013284. ACM, New York (2011)","DOI":"10.1145\/2046707.2046739"},{"key":"12_CR9","unstructured":"ESET. VBA dynamic hook (2016). \n                      https:\/\/github.com\/eset\/vba-dynamic-hook"},{"key":"12_CR10","unstructured":"FireEye. Malicious PowerShell detection via machine learning, July 2018. \n                      https:\/\/www.fireeye.com\/blog\/threat-research\/2018\/07\/malicious-powershell-detection-via-machine-learning.html"},{"key":"12_CR11","unstructured":"O\u2019Reilly, U.-M., Rusak, G., Al-Dujaili, A.: Poster: AST-based deep learning for detecting malicious PowerShell. CoRR, abs\/1810.09230 (2018)"},{"key":"12_CR12","unstructured":"Google. Virustotal. \n                      https:\/\/www.virustotal.com"},{"key":"12_CR13","unstructured":"Grant, D.: Deobfuscating PowerShell: putting The toothpaste back in the tube, October 2018. \n                      https:\/\/www.endgame.com\/blog\/technical-blog\/deobfuscating-powershell-putting-toothpaste-back-tube"},{"key":"12_CR14","doi-asserted-by":"crossref","unstructured":"Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ASIACCS 2018, pp. 187\u2013197. ACM, New York (2018)","DOI":"10.1145\/3196494.3196511"},{"key":"12_CR15","unstructured":"Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In Proceedings of the 13th Conference on USENIX Security Symposium, SSYM 2004, vol. 13, p. 18. USENIX Association, Berkeley (2004)"},{"key":"12_CR16","unstructured":"Malwarebytes. State of Malware Report (2019). \n                      https:\/\/resources.malwarebytes.com\/files\/2019\/01\/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf"},{"key":"12_CR17","unstructured":"McAfee. Fileless malware execution with PowerShell is easier than you may realize (2017). \n                      https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/solution-briefs\/sb-fileless-malware-execution.pdf"},{"key":"12_CR18","unstructured":"McAfee. Labs Threats Report, September 2018. \n                      https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/reports\/rp-quarterly-threats-sep-2018.pdf"},{"key":"12_CR19","unstructured":"Microsoft Corporation. PowerShell. \n                      https:\/\/docs.microsoft.com\/en-us\/powershell\/scripting\/powershell-scripting?view=powershell-6"},{"key":"12_CR20","unstructured":"PaloAlto. Pulling back the curtains on encoded command PowerShell attacks (2017). \n                      https:\/\/researchcenter.paloaltonetworks.com\/2017\/03\/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks\/"},{"key":"12_CR21","unstructured":"PDQ. Powershell Commands List. \n                      https:\/\/www.pdq.com\/powershell\/"},{"key":"12_CR22","unstructured":"R3RUM. Psdecode (2018). \n                      https:\/\/github.com\/R3MRUM\/PSDecode"},{"key":"12_CR23","unstructured":"Rapid7. Metasploit. \n                      https:\/\/www.metasploit.com"},{"key":"12_CR24","unstructured":"Rousseau, A.: Hijacking.net to defend PowerShell. CoRR, abs\/1709.07508 (2017)"},{"key":"12_CR25","doi-asserted-by":"crossref","unstructured":"Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 94\u2013109, May 2009","DOI":"10.1109\/SP.2009.27"},{"key":"12_CR26","unstructured":"Sophos. SophosLabs 2019 Threat Report (2018). \n                      https:\/\/www.sophos.com\/en-us\/medialibrary\/pdfs\/technical-papers\/sophoslabs-2019-threat-report.pdf"},{"key":"12_CR27","unstructured":"Symantec. Internet Security Threat Report, March 2018. \n                      https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-23-2018-en.pdf"},{"key":"12_CR28","unstructured":"Trustedsec. Social engineering toolkit. \n                      https:\/\/github.com\/trustedsec\/social-engineer-toolkit"},{"key":"12_CR29","unstructured":"Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: 12th Working Conference on Reverse Engineering (WCRE 2005), 10 pp.-54, November 2005"},{"key":"12_CR30","unstructured":"Ugarte, D.: Powerdrive (2019). \n                      https:\/\/github.com\/denisugarte\/PowerDrive"},{"key":"12_CR31","unstructured":"Wong, M.Y., Lie, D.: Tackling runtime-based obfuscation in android with TIRO. In: Proceedings of the 27th USENIX Conference on Security Symposium, SEC 2018, pp. 1247\u20131262. USENIX Association, Berkeley (2018)"},{"key":"12_CR32","doi-asserted-by":"crossref","unstructured":"Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.K.: A generic approach to automatic deobfuscation of executable code. In: 2015 IEEE Symposium on Security and Privacy, pp. 674\u2013691, May 2015","DOI":"10.1109\/SP.2015.47"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-22038-9_12","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,9]],"date-time":"2019-06-09T23:10:25Z","timestamp":1560121825000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-22038-9_12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030220372","9783030220389"],"references-count":32,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-22038-9_12","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"6 June 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Gothenburg","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Sweden","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 June 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 June 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.dimva2019.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"dimca2019.hotcrp.com","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"80","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"23","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"29% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"6","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}}]}}