Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore how cybercriminals exploit Windows Sandbox as a defensive evasion technique in this 25-minute Black Hat conference presentation. Learn about the fundamentals of Windows Sandbox, a lightweight virtualization mechanism introduced in 2018 for testing suspicious applications in isolated environments. Discover how the APT group Earth Kasha, operating under the APT10 umbrella, weaponized this legitimate Windows feature to conceal malicious activities from endpoint protection platforms and EDR solutions. Examine the detailed attack chain beginning with spear-phishing emails delivering the ANEL backdoor, followed by the deployment of secondary payload NOOPDOOR within Windows Sandbox using .wsb configuration files, network access enablement, and host folder mapping. Analyze the adversary's use of installer scripts to extract components from password-protected WinRAR archives and their implementation of TOR applications to obscure backdoor traffic. Gain insights into the specific tactics, techniques, and procedures (TTPs) employed for defensive evasion and acquire actionable countermeasures for prevention and threat hunting to defend against similar sandbox abuse techniques in targeted attacks.
