2021 IEEE Symposium on Security and Privacy (SP) 2021
DOI: 10.1109/sp40001.2021.00047
|View full text |Cite
|
Sign up to set email alerts
|

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Abstract: As malware detection algorithms and methods become more sophisticated, malware authors adopt equally sophisticated evasion mechanisms to defeat them. Anecdotal evidence claims Living-Off-The-Land (LotL) techniques are one of the major evasion techniques used in many malware attacks. These techniques leverage binaries already present in the system to conduct malicious actions. We present the first large-scale systematic investigation of the use of these techniques by malware on Windows systems.In this paper, we… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
9
0

Year Published

2022
2022
2024
2024

Publication Types

Select...
5
2
1

Relationship

0
8

Authors

Journals

citations
Cited by 26 publications
(17 citation statements)
references
References 17 publications
0
9
0
Order By: Relevance
“…They then collected OSINT data like domain names and social media information of 30 companies to determine how much information is available to the adversaries. Additional works on APTs analysis focused on describing the phases of the attacks and possible countermeasures [10], the analysis of the malware employed in a few well-known campaigns [21], or the prevalence of living-off-the-land techniques in certain samples [51].…”
Section: Analysis Of Attackers Characteristicsmentioning
confidence: 99%
“…They then collected OSINT data like domain names and social media information of 30 companies to determine how much information is available to the adversaries. Additional works on APTs analysis focused on describing the phases of the attacks and possible countermeasures [10], the analysis of the malware employed in a few well-known campaigns [21], or the prevalence of living-off-the-land techniques in certain samples [51].…”
Section: Analysis Of Attackers Characteristicsmentioning
confidence: 99%
“…As a result, it significantly increases the aptitude for detection and prevention of fileless malware [49] and Living-Off-The-Land (LotL) attacks [50] as shown in Section V.…”
Section: • Process 5 -Update Existing Resource(s)mentioning
confidence: 99%
“…Hence, if an attacker compromises the employee's endpoint, it is extremely unlikely that further malicious tools can execute as their hash and relevant information are not present on-chain. Nevertheless, malware executed directly from memory (e.g., fileless malware [49]) or malicious activities leveraging valid and legitimate system tools such as PowerShell, also known as LotL attacks [50], are still a risk to take into consideration.…”
Section: Test Environment and Implementationmentioning
confidence: 99%
“…Operating system files and malware often have similar behaviors, which probably confuse the detection models and even a trained analyst [8]. Therefore, in order to help SeqNet observe the general differences between malicious and benign programs and make SeqNet more robust, we add about 10,000 system files as benign data.…”
Section: Training Datasetmentioning
confidence: 99%