New world of cyber threats – playing with sandboxes

18 August 2017

In his work to support red teaming activities at PwC by identifying new techniques to test companies’ defences, Matt Wixey, who leads the research function in the firm’s Threat and Vulnerability Management (TVM) team in the UK, has developed a tool called SandGrox, which aims to detect and bypass sandboxes and emulators. This was recently demonstrated at CRESTCon and the IISP Congress 2017.

When the TVM team performs a red team engagement, we try to hack into a client’s network using methodologies and techniques which are as realistic as possible, simulating real adversaries and using the same approach a real attacker would, by adopting tactics based on cutting-edge threat intelligence. This includes an in-depth reconnaissance phase, targeted emails and social engineering campaigns, specially-purchased domains, and customised malware. All of course done with their prior permission and causing no harm, but helping them to strengthen defences against real attackers in future.

One of the problems we often face is that, having spent a lot of time doing research, enumeration, and preparation, and having delivered a highly-targeted and handcrafted campaign, our malware gets executed in a sandbox – an emulated environment which automatically runs unknown programs and decides if they are malicious or not.

If the sandbox decides our malware is suspicious, we can find our domains blacklisted – meaning we have to start again with a fresh campaign. Our malware could even get reverse-engineered and signatured by antivirus vendors, which would potentially compromise our campaigns for other clients. And it can mean we don’t penetrate the network perimeter, until we can get past the sandbox.

I was asked to do a research project on detecting and bypassing sandboxes, with a view to incorporating the results into our malware. Not only would this help us avoid getting blacklisted and detected during red team engagements, but it would also provide an even more realistic service. Attackers in the wild are very aware of the problems sandboxes cause, and are constantly looking for ways to solve them. By doing the same thing, we’re reflecting this trend – and also making it more likely that we will get into clients’ internal networks, therefore adding much more value to engagements for our clients.

The resulting tool – SandGrox – has over 100 checks to detect sandboxed environments. These are mostly product-independent, and in most cases incorporate passive activity which is unlikely to trigger any alerts. About 40 of the checks were based on publicly-known techniques; the remainder were new techniques developed in-house.

Some preliminary testing shows that the tool can detect sandboxed and virtual environments with very high rates of accuracy. And surprisingly, a lot of the older, publicly-known techniques are still very effective.

If your organisation uses sandbox technology, or emulators – either on network endpoints or on individual hosts on an internal network – you should be aware that adversaries are constantly seeking to detect and bypass such protections, and, based on the SandGrox testing results, can sometimes do so by relying on publicly available techniques. This can make such protections redundant, and is a key reminder of the need for ‘defence in depth’ - layering security so that even if malware does successfully penetrate one or more of those layers, there are reliable fallback mechanisms in place.

For full technical details of our research or for more information about cyber security, please email Matt Wixey.

Matt Wixey

Matt Wixey | PwC Threat and Vulnerability Management Team
Profile | Email | +44 (0)7841 468 795


More articles by Matt Wixey



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.