In an effort to provide analysts with a clearer picture of what happened after exploitation and save them time, we've developed a tool for detecting and deobfuscating obfuscated Powershell scripts. This starts with a machine learning classifier to determine if a file is obfuscated or encoded, reversing any encoding any easy to decipher obfuscation found, and then finishing up the more difficult deobfuscation tasks using a neural network text translation framework.
Daniel Grant is a Data Scientist at Endgame where he focuses primarily on multi-class malware identification, model validation, and system behavioral analysis. He has an MS in Operations Research from Georgia Tech.