NDLTD Global ETD Search
  • Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 1
  • Tagged with
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • 1
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.

Search results

Showing 1 to 1 of 1 (0.082 seconds)

Spelling suggestions: "subject:"1iving off then land"" "subject:"1iving off them land""

1

Living off the Land Binaries with Virtual Machines / Att utnyttja virtuella maskiner för att injicera ransomware

Lingaas Türk, Jakob January 2021 (has links)
As the threat of ransomware increases, the ever-growing demand for more efficient cybersecurityimplementations invite cybercriminals to find new methods of bypassing these counter measures.One method for bypassing potential antivirus software is to use the binaries already present on thevictim device, causing them damage by using trusted binaries which does not trigger windowsdefender (or similar antivirus measures).This thesis attempts to use virtual machines as a living of the land binary. By utilizing the virtualenvironment of Windows iso images within a hypervisor, the attacker can download and execute abinary without being stopped by the bare metal host’s IDS or IPS. As the attacker controls the virtualenvironment, they can disable Windows Defender within the virtual machine and acquire theransomware without the upper layer of IDS or IPS even noticing, meaning they also remain stealthyfor a persistent engagement. The attacker would then proceed to use the share folder functionalityof the hypervisor and target a directory with sensitive files, before executive the binary within thevirtual machine. To the bare metal host, it would look like a hypervisor process is affecting the fileswithin the shared folder, which does not raise any alarms. However, what is actually happening is theransomware of the attacker’s choice has encrypted the files of the target directory (or mounteddrive, depending on method used), and can now continue to the next directory (or drive).The results of this work showed that virtual machines can be used for living off the land binariesattacks by utilizing either the shared folder functionality of a specific hypervisor, or by mounting adrive to a virtual machine. The experiments were proven to work within their own parameters,assuming certain requirements are fulfilled for the attack to be doable. Defenders can tweak IDS andIPS policies to limit or warn when a user access or changes partitions or limiting the accessibility forthe hypervisors native to the machine.
LOLbin
Living off the land
virtual machine escape
fileless malware
Computer Sciences
Datavetenskap (datalogi)

Page generated in 0.0873 seconds