Utilizing Memory Analysis of Windows 10 Systems to Identify Malicious Attacks via PowerShell
Gardado en:
| Publicado en: | ProQuest Dissertations and Theses (2025) |
|---|---|
| Autor Principal: | |
| Publicado: |
ProQuest Dissertations & Theses
|
| Materias: | |
| Acceso en liña: | Citation/Abstract Full Text - PDF |
| Etiquetas: |
Sen Etiquetas, Sexa o primeiro en etiquetar este rexistro!
|
| Resumo: | PowerShell, a versatile scripting language, is often exploited by attackers due to its ability to automate tasks on Windows operating systems. This study used a quantitative quasi-experimental, single-subject A-B-A design to investigate the impact of PowerShell processes on computer memory (RAM) and storage devices (HDD). The experiments were conducted on virtual machines (VM) with Hyper-V, using Windows Server 2022 as the host operating system and Windows 10 v.20H2 as the target VM. Kali Linux v.2021.2 served as the remote system for PowerShell attacks. The A-B-A single-subject design involved acquiring RAM and HDD data before running PowerShell code (A), during the code execution (B), and after stopping the PowerShell process (A2). The study used a Social Engineering Attack via PowerShell that connects a reverse shell to Kali. The PowerShell script was modified to bypass Windows Defender and executed remotely. The study aimed to compare RAM and storage by examining indicators of compromise (IOC) or locating the actual code. The analysis used the Bayesian Network to compare the probability of the RAM to the storage device. The results of the treatment experiments (B) showed a 0.9876 probability of finding the encoded and decoded code in RAM, while only 0.6658 of finding the encoded code on the storage device. These findings have practical implications for cybersecurity and digital forensics. The experiments were designed to provide valuable insights into the impact of PowerShell processes on computer memory and storage devices.  |
|---|---|
| ISBN: | 9798310144514 |
| Fonte: | Publicly Available Content Database |