Extracting Equivocal Behaviours from Trusted Systems

This thesis investigates equivocal software behaviours (ESBs) - actions performed by trusted software that are not explicitly communicated to the user and may raise concerns about privacy, integrity, or data confidentiality. The work contributes to the broader discussion on software transparency, SBOM adoption, and supply chain security.

Context and motivation

Software supply chain attacks grew from 1% of total attacks in 2020 to 17% in 2021 (ENISA, 2023). Notable incidents such as the SolarWinds Orion compromise, the Colonial Pipeline ransomware attack, and the Log4j vulnerability demonstrated that trusted software components can silently act as attack vectors. This thesis addresses the need for software transparency by identifying and classifying behaviours that trusted software performs without user disclosure.

Methodology

Using the MITRE ATT&CK Enterprise Matrix (v4.0) as a reference framework, 60 techniques were reviewed through a peer-review and card-sorting process, resulting in the definition of 12 Equivocal Software Behaviours (ESBs):

• ESB1 - System Analysis and Resource Discovery
• ESB2 - Network Enumeration and Analysis
• ESB3 - Network Traffic Manipulation and Covert Communications
• ESB4 - Scripting and Code Execution
• ESB5 - Task Scheduling and System Automation
• ESB6 - Advanced OS Utility Exploitation and Interaction
• ESB7 - Privilege Manipulation
• ESB8 - Software Extension and Interaction
• ESB9 - Control Evasion and Analysis Avoidance
• ESB10 - Logging Evasion and Indirect Software Execution
• ESB11 - Encryption Manipulation
• ESB12 - Media Capture

A custom asynchronous multithreaded Python tool was developed to automate the submission and parallel analysis of 36 goodware binaries across three sandbox platforms via their REST APIs:

• Hybrid Analysis (Falcon Sandbox) - static and dynamic analysis on Windows 10 and Windows 11
• VirusTotal - distributed sandbox network including CAPA, CAPE, and ZENBOX
• ANY.RUN - interactive real-time analysis with forensic data collection

Dataset

36 goodware binaries classified using SourceForge taxonomy, covering system software (20%), productivity (15%), multimedia (15%), internet (13%), communications (11%), and other categories.

Key findings

• ESB1 (System Analysis and Resource Discovery) and ESB6 (Advanced OS Utility Exploitation) were detected in 100% of the analysed systems, including widely used browsers and streaming platforms
• ESB3 (Network Traffic Manipulation) and ESB11 (Encryption Manipulation) were not detected in any of the analysed systems
• Hybrid Analysis proved to be the most comprehensive platform, consistently returning the most complete behavioural reports
• Trusted software routinely exhibits behaviours typical of malware reconnaissance, without any user disclosure

Conclusions

In the absence of transparent declarations from vendors - such as Software Bill of Materials (SBOM) - undocumented actions in trusted software constitute a concrete privacy risk and a silent attack vector for advanced adversaries.