Equivocal Behaviour Tool Thesis
I built an asynchronous sandbox-analysis tool for my BSc thesis to detect equivocal behaviours in trusted Windows software.
Equivocal Behaviour Tool Thesis
This project is my Bachelor of Engineering thesis at the University of Sannio: Extracting Equivocal Behaviours from Trusted Systems.
The work studies software that appears trustworthy but performs behaviours that are undocumented, privacy-sensitive, or potentially useful in an attack chain. The thesis frames those behaviours as a software supply-chain security problem: trusted software can still expose users to hidden telemetry, reconnaissance, or advanced operating-system utility abuse.
What I Built
I designed an asynchronous multithreaded Python CLI that orchestrates sandbox analysis across Hybrid Analysis, VirusTotal, and ANY.RUN. The tool collects and normalizes execution traces for Windows 10/11 binaries, then supports MITRE ATT&CK-based analysis of behaviours observed during execution.
Research Method
- Reviewed 60 MITRE ATT&CK Enterprise techniques
- Defined 12 Equivocal Software Behaviours
- Analyzed 36 SourceForge-categorized goodware binaries
- Cleaned and explored sandbox JSON outputs with Python, Pandas, Seaborn, and Jupyter
- Mapped observed behaviours to ATT&CK-inspired categories
Outcome
The analysis detected system reconnaissance and advanced OS utility exploitation in all analyzed trusted-system samples. The result is a reproducible thesis workflow for making hidden software behaviours visible and discussable, especially in software transparency and supply-chain security contexts.
Public Proof
- Repository: https://github.com/RenatoMignone/Equivocal-Behaviour-Tool-Thesis
- Zenodo record: https://zenodo.org/records/19262869
- DOI: 10.5281/zenodo.19262869