https://github.com/ghostpack/invoke-evasion

PowerShell Obfuscation and Data Science
https://github.com/ghostpack/invoke-evasion

Last synced: 8 months ago
JSON representation

PowerShell Obfuscation and Data Science

• Host: GitHub
• URL: https://github.com/ghostpack/invoke-evasion
• Owner: GhostPack
• License: bsd-3-clause
• Created: 2022-04-05T06:08:31.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2022-05-04T17:02:16.000Z (about 4 years ago)
• Last Synced: 2025-06-10T09:06:44.150Z (12 months ago)
• Language: Jupyter Notebook
• Size: 47 MB
• Stars: 174
• Watchers: 9
• Forks: 27
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Invoke-Evasion

This repository contains various datasets, Jupyter notebooks, and machine learning models that accompany the "Learning Machine Learning" series of blog posts:

- [Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation](https://posts.specterops.io/learning-machine-learning-part-1-introduction-and-revoke-obfuscation-c73033184f0)

- [Learning Machine Learning Part 2: Attacking White Box Models](https://posts.specterops.io/learning-machine-learning-part-2-attacking-white-box-models-1a10bbb4a2ae)

- [Learning Machine Learning Part 3: Attacking Black Box Models](https://posts.specterops.io/learning-machine-learning-part-3-attacking-black-box-models-3efffc256909)

## Structure

./notebooks/

- **Feature Selection.ipynb** - code for performing the various types of feature selection

- **LogisticRegression.ipynb** - training a tuned Logistic Regression model on the augmented obfuscated PowerShell dataset

- **TreeModels.ipynb** - training various tree ensemble models on the augmented obfuscated PowerShell dataset

- **NeuralNetworks.ipynb** - training various Neural Network models on the augmented obfuscated PowerShell dataset

- **WhiteBox.ipynb** - white box attacks against the trained Logistic Regression and LightGBM Classifier

- **WhiteBox-NeutalNetwork.ipynb** - white box attacks against the trained Neural Network

- **BlackBox.ipynb** - black box attacks against the trained models

- **BlackBox-Model3.ipynb** - optimization attacks against model 3, the trained Neural Network

./models/

- **tuned_ridge.bin** - Pickled tuned L2 (Ridge) regularized Logistic Regression model pipeline trained on the augmented obfuscated PowerShell dataset

- **tuned_lgbm.bin** - Pickled tuned LightGBM classifier model trained on the augmented obfuscated PowerShell dataset

- **./neural_network/** - Saved model weights for a 4-layer 192 neuron Neural Network with a dropout of .5

./datasets/

- **PowerShellCorpus.ast.csv.7z** - compressed csv of AST features extracted from an augmented PowerShell corpus dataset of 14702 samples

- **BlackBoxData.ast.csv.7z** - compressed csv of AST features extracted from a subset of the PowerShell corpus (3000 samples)

./PS-AST/

- C# project that integrates the [checks from Revoke-Obfuscation](https://github.com/danielbohannon/Revoke-Obfuscation/tree/master/Checks) (by Daniel Bohannon & Lee Holmes, Apache License 2.0) for AST file generation. Also contains **SplitScriptFunctions** that outputs every function in a script to a separate file, used for data augmentation.

./samples/

- Various adversarial samples generated by white/black box evasion methods