Detecting Fileless Cryptojacking in PowerShell Using AST-Enhanced CodeBERT Models
This addresses the challenge of stealthy cryptojacking for cybersecurity, though it appears incremental as it builds on existing pre-trained models with AST enhancements.
The paper tackled the problem of detecting fileless cryptojacking attacks using PowerShell in Windows environments by fine-tuning CodeBERT with Abstract Syntax Tree (AST) integration, achieving a high recall rate in experimental results.
With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.