Living off the Land Binaries with Virtual Machines

Lingaas Türk, Jakob

hh.sePublications

Simple search

Advanced search -
Research publications Advanced search -
Student theses Statistics

English Svenska Norsk

Change search

Cite ExportLink to record

Permanent link

https://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-44842

Direct link

http://hh.diva-portal.org/smash/record.jsf?pid=diva2:1569079

Cite

Citation style

apa
ieee
modern-language-association-8th-edition
vancouver
Other style

More styles

Language

de-DE
en-GB
en-US
fi-FI
nn-NO
nn-NB
sv-SE
Other locale

More languages

Output format

html
text
asciidoc
rtf

Living off the Land Binaries with Virtual Machines

Lingaas Türk, Jakob

Halmstad University.

2021 (English)Independent thesis Advanced level (degree of Master (One Year)), 10 credits / 15 HE creditsStudent thesisAlternative title

Att utnyttja virtuella maskiner för att injicera ransomware (Swedish)

Abstract [en]

As the threat of ransomware increases, the ever-growing demand for more efficient cybersecurityimplementations invite cybercriminals to find new methods of bypassing these counter measures.One method for bypassing potential antivirus software is to use the binaries already present on thevictim device, causing them damage by using trusted binaries which does not trigger windowsdefender (or similar antivirus measures).This thesis attempts to use virtual machines as a living of the land binary. By utilizing the virtualenvironment of Windows iso images within a hypervisor, the attacker can download and execute abinary without being stopped by the bare metal host’s IDS or IPS. As the attacker controls the virtualenvironment, they can disable Windows Defender within the virtual machine and acquire theransomware without the upper layer of IDS or IPS even noticing, meaning they also remain stealthyfor a persistent engagement. The attacker would then proceed to use the share folder functionalityof the hypervisor and target a directory with sensitive files, before executive the binary within thevirtual machine. To the bare metal host, it would look like a hypervisor process is affecting the fileswithin the shared folder, which does not raise any alarms. However, what is actually happening is theransomware of the attacker’s choice has encrypted the files of the target directory (or mounteddrive, depending on method used), and can now continue to the next directory (or drive).The results of this work showed that virtual machines can be used for living off the land binariesattacks by utilizing either the shared folder functionality of a specific hypervisor, or by mounting adrive to a virtual machine. The experiments were proven to work within their own parameters,assuming certain requirements are fulfilled for the attack to be doable. Defenders can tweak IDS andIPS policies to limit or warn when a user access or changes partitions or limiting the accessibility forthe hypervisors native to the machine.

Place, publisher, year, edition, pages

2021. , p. 21

Keywords [en]

LOLbin, Living off the land, virtual machine escape, fileless malware

National Category

Computer Sciences

Identifiers

URN: urn:nbn:se:hh:diva-44842OAI: oai:DiVA.org:hh-44842DiVA, id: diva2:1569079

Subject / course

Digital Forensics

Educational program

Master's Programme in Network Forensics, 60 credits

Supervisors

Rezk, Nesma

Examiners

Järpe, Eric

Dougherty, Mark

Available from: 2021-06-11 Created: 2021-06-18 Last updated: 2021-06-22Bibliographically approved

Open Access in DiVA

fulltext(1561 kB)

969 downloads

File information

File name FULLTEXT02.pdfFile size 1561 kBChecksum SHA-512

801d832254c56705ed5f6f8dc55b99deb2904ae9cf6d5075bf027cc8c45de77e1fe0173fd23e3e27691353dc58319f9baae257c24d88c8fc23aafe4a34d51079

Type fulltextMimetype application/pdf

Total: 969 downloads

The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Total: 1210 hits