Machine Learning for Offensive Security: Sandbox Classification Using Decision Trees and Artificial Neural Networks

TL;DR

This paper explores how offensive security teams utilize machine learning models, specifically decision trees and neural networks, to detect sandboxes and improve offensive cybersecurity operations.

Contribution

It presents practical application of ML models for sandbox detection in offensive security, providing real-world insights into their effectiveness.

Findings

Decision Trees successfully classify sandboxes using process list data.

Artificial Neural Networks also effectively detect sandboxes.

The study demonstrates ML's role in supporting offensive cybersecurity tasks.

Abstract

The merits of machine learning in information security have primarily focused on bolstering defenses. However, machine learning (ML) techniques are not reserved for organizations with deep pockets and massive data repositories; the democratization of ML has lead to a rise in the number of security teams using ML to support offensive operations. The research presented here will explore two models that our team has used to solve a single offensive task, detecting a sandbox. Using process list data gathered with phishing emails, we will demonstrate the use of Decision Trees and Artificial Neural Networks to successfully classify sandboxes, thereby avoiding unsafe execution. This paper aims to give unique insight into how a real offensive team is using machine learning to support offensive operations.