🤖 AI Summary
This study addresses the emerging cybersecurity threat posed by the misuse of generative artificial intelligence to produce PowerShell-based malware. To systematically evaluate this risk, we introduce a dedicated dynamic analysis sandbox—the first of its kind specifically designed for AI-generated PowerShell malicious scripts—and release the first real-world dataset of such scripts accompanied by natural language annotations. Leveraging this framework, we fine-tune and assess open-source large language models, employing Jaccard similarity metrics alongside runtime malicious behavior tracking. Our experiments demonstrate that the AI-generated scripts exhibit a high degree of behavioral fidelity to real-world malware at the operating system level, achieving a median Jaccard index of 84.5%, with 48.4% of generated samples showing complete overlap in malicious behaviors.
📝 Abstract
Generative AI has emerged as a significant cybersecurity threat, with several recent attack campaigns leveraging LLMs to generate code for malicious purposes via scripting languages such as PowerShell. Consequently, for cybersecurity analysts, it is imperative to investigate the offensive capabilities of AI code generators. In this paper, we propose an experimental framework to assess LLM-generated PowerShell malware, which comprises a novel sandbox approach for dynamic analysis of AI-generated malware. Furthermore, we present a novel, manually curated dataset of real-world PowerShell malware, annotated in natural language to assist the training and evaluation of LLMs. Finally, this study evaluates permissive, open-weight LLMs adapted to PowerShell malware generation. Our results reveal a high degree of similarity between real malware and LLM-generated ones in terms of triggered OS malicious events, with a median Jaccard index of 84.5% and 48.4% of instances achieving complete overlap.