Question 1

How do I check if a PowerShell script is malicious without running it?

Accepted Answer

Paste the script into ShieldScope's sandbox analyzer. It performs static inspection — reading the code without executing it — and applies pattern matching to detect dangerous functions like Invoke-Expression (IEX), Invoke-WebRequest, DownloadString, and Set-MpPreference. It also decodes any base64-encoded content and extracts embedded URLs, domains, and IP addresses.

Question 2

Can ShieldScope detect obfuscated PowerShell?

Accepted Answer

Yes. ShieldScope identifies common PowerShell obfuscation techniques including -EncodedCommand (base64-encoded commands passed to the PowerShell runtime), Invoke-Expression (IEX) for dynamic code execution, and FromBase64String. It decodes base64 strings found in the script and scans the decoded content for additional indicators, making it effective against layered obfuscation.

Question 3

What PowerShell indicators does ShieldScope detect?

Accepted Answer

ShieldScope detects: Invoke-Expression (IEX), -EncodedCommand, Invoke-WebRequest, New-Object Net.WebClient, DownloadString, DownloadFile, Set-MpPreference and Add-MpPreference (Windows Defender tampering), execution policy bypass, hidden window flags (-WindowStyle Hidden), LOLBIN abuse (certutil, bitsadmin, mshta, regsvr32), System.Reflection assembly loading, scheduled task creation, registry modification, and service manipulation.

Question 4

What are LOLBINs and how does ShieldScope detect them?

Accepted Answer

LOLBINs (Living-Off-the-Land Binaries) are trusted Windows system tools abused by attackers to carry out malicious actions without deploying custom malware. ShieldScope detects references to: certutil (used to decode base64 payloads), bitsadmin (used to download files via the trusted BITS service), mshta (used to execute HTML Application files), and regsvr32 (used to execute remote COM scriptlets as an application control bypass).

Question 5

What is the difference between static analysis and dynamic analysis?

Accepted Answer

Static analysis inspects code without executing it — examining text patterns, function names, and structure. Dynamic analysis (sandboxing) runs the code in a controlled environment to observe runtime behavior. ShieldScope performs static analysis only. This means it is fast and safe, but cannot detect behavior that only emerges at runtime, such as environment-dependent logic or runtime-decrypted payloads.

Question 6

Can ShieldScope analyze JavaScript malware?

Accepted Answer

Yes. ShieldScope detects JavaScript obfuscation and malicious patterns including eval() (dynamic code execution), atob() (base64 decoding), document.write() (DOM injection used in drive-by downloads), String.fromCharCode() (character encoding obfuscation), new Function() (eval alternative), dynamic script element injection, and forced browser redirects. These are the primary techniques used in malicious ad scripts, phishing pages, and browser exploit kits.

Question 7

Is it safe to use ShieldScope to analyze suspicious scripts?

Accepted Answer

Yes. ShieldScope performs read-only static analysis — the script is never executed at any point. Your submission is transmitted over HTTPS, analyzed on the server, and discarded immediately after results are returned. No data is stored. Avoid pasting scripts that contain credentials, internal hostnames, or sensitive organizational data.

Question 8

What sandbox-exclusive signals does ShieldScope add to URL analysis?

Accepted Answer

In addition to standard URL analysis (redirect chains, domain age, SSL posture, deception detection), the sandbox URL analyzer adds domain name entropy scoring — high Shannon entropy is a signal of algorithmically generated domains used by malware — and detection of suspicious file extensions in the URL path, such as .ps1, .exe, .bat, .hta, and .dll, which are frequently observed in malware delivery URLs.

Suspicious Artifact Analyzer