Keyvan Ansari

This study provides a comprehensive examination of AtomBombing, a stealthy fileless code injection technique that leverages the Windows Global Atom Table for covert payload storage and execution. Unlike traditional injection strategies that rely on memory manipulation or file-based artifacts, AtomBombing avoids direct memory writes and operates entirely through legitimate Windows APIs, making it exceptionally evasive against modern endpoint detection and response tools. Through our proof-of-concept (PoCs) implementations, we demonstrate how adversaries could exploit atom-based payload fragmentation, double layer encoding, and time-based triggers to execute malicious tasks while minimizing forensic visibility. Building on those PoCs, we introduce ABOMB-FOD, a \mathbf{1. 2 ~ M B} multistage loader that survives reboots, bypasses user account controls, and still fits comfortably within the Atom Table capacity limits (\leq 65,535 entries +\mathbf{2 5 5} \mathbf{B} \approx \mathbf{1 6} \mathbf{~ M B}). The AtomBombing Process Orchestrator illustrates the ability to securely store encrypted payloads and orchestrate parallel execution using PowerShell, while the Atom Table Backdoor showcases persistent command-and-control behavior activated under specific system conditions. Our findings underscore the inadequacy of current security solutions in monitoring Atom Table interactions, i.e., critical API functions remain largely overlooked in behavioral analysis, despite their potential for stealthy data injection. Consistent with this blind spot, our evaluation confirms that standard defenses, including Windows Defender with cloud protection enabled, fail to detect or flag AtomBombing activity, even when ABOMBFOD or other payloads are executing and network interactions are in progress. We note that a straightforward heuristic, such as flagging any process that issues more than a certain number of GlobalAddAtomW invocations (e.g., 500) within a short time window (e.g., one minute) and stores high-entropy data, can be effective in identifying candidates for further investigation.

In the rapidly evolving field of cybersecurity, ransomware poses an escalating threat; adversaries employ advanced encryption techniques to render critical data inaccessible and evade traditional defenses. Specifically, ransomware developers utilize intricate strategies that undermine heuristic file monitoring and file system attribute analysis, rendering current detection methods ineffective against such attacks. This study tests and analyzes the performance of models that focus on the file system level. The goal is to improve detection by using statistically measurable attributes that are specific to the file system. For instance, statistically measurable data can be derived from the blocks of the write buffer transmitted from endpoints to storage servers. We investigate the effectiveness of various machine learning classifiers in detecting encryption activities at the storage level, using a substantial dataset of 32.6 GB comprising 11,928 files encrypted by 75 ransomware families. We integrate novel statistical components to augment the system’s ability to detect encryption, notwithstanding the adaptive tactics of ransomware that reduce entropy measures and alter call frequencies to evade classification. Our in-depth study looks at these classifiers in the context of ransomware that uses partial and intermittent encryption and online learning methods to make them more flexible in a threat environment that changes quickly. In benchmark tests, the Hoeffding Tree algorithm consistently performs well. It works especially well against types of ransomware that use intermittent encryption methods.

Data from interconnected vehicles may contain sensitive information such as location, driving behavior, personal identifiers, etc. Without adequate safeguards, sharing this data jeopardizes data privacy and system security. The current cen-tralized data-sharing paradigm in these systems raises particular concerns about data privacy. Recognizing these challenges, the shift towards decentralized interactions in technology, as echoed by the principles of Industry 5.0, becomes paramount. This work is closely aligned with these principles, emphasizing decentralized, human-centric, and secure technological interactions in an interconnected vehicular ecosystem. To embody this, we propose a practical approach that merges two emerging technologies: Federated Learning (FL) and Blockchain. The integration of these technologies enables the creation of a decentralized vehicular network. In this setting, vehicles can learn from each other without compromising privacy while also ensuring data integrity and accountability. Initial experiments show that compared to conventional decentralized federated learning techniques, our proposed approach significantly enhances the performance and security of vehicular networks. The system's accuracy stands at 91.92%. While this may appear to be low in comparison to state-of-the-art federated learning models, our work is noteworthy because, unlike others, it was achieved in a malicious vehicle setting. Despite the challenging environment, our method maintains high accuracy, making it a competent solution for preserving data privacy in vehicular networks.