With the emergence of remote code execution (RCE) vulnerabilities in ubiquitous libraries and advanced social engineering techniques, threat actors have started conducting widespread fileless cryptojacking attacks. These attacks have become effective with stealthy techniques based on PowerShell-based exploitation in Windows OS environments. Even if attacks are detected and malicious scripts removed, processes may remain operational on victim endpoints, creating a significant challenge for detection mechanisms. In this paper, we conducted an experimental study with a collected dataset on detecting PowerShell-based fileless cryptojacking scripts. The results showed that Abstract Syntax Tree (AST)-based fine-tuned CodeBERT achieved a high recall rate, proving the importance of the use of AST integration and fine-tuned pre-trained models for programming language.

翻译：随着通用库中远程代码执行（RCE）漏洞的出现以及高级社会工程学技术的发展，威胁行为者开始大规模实施无文件挖矿攻击。这类攻击借助Windows操作系统环境中基于PowerShell的漏洞利用技术，以隐蔽手段实现了有效威胁。即便攻击被检测到且恶意脚本被清除，受害终端上的进程仍可能保持运行状态，这给检测机制带来了重大挑战。本文通过收集数据集开展了针对PowerShell无文件挖矿脚本检测的实验研究。结果表明，基于抽象语法树（AST）微调的CodeBERT模型实现了高召回率，验证了AST集成与编程语言微调预训练模型相结合的重要性。