When it comes to data exfiltration, creativity and thinking outside the box is the most important. To remember; The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts. [see more]
This time, I managed to find another unexpected way using WCF Data Service Client Utility (DataSvcUtil.exe), DataSvcUtil.exe is a command-line tool provided by…
To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare. If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.
A common approach to analyse potentially malicious software is dynamic analysis. The binary is executed in an analysis environment, usually a Virtual Machine (VM), and its behaviour in the system is inspected.
Many Virtual Machine Environent (VME) are easily detectable:
When working with Tweet data, there are two classes of geographical metadata, you can use the following search to find any media-items tagged with a specific GPS location
Important Notes: Geographical coordinates are provided in the [LONG, LAT] order. The one exception is the deprecated ‘geo’ attribute, which has the reverse [LAT, LONG] order. …
The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts.
You can check a lof of tricks on “https://github.com/LOLBAS-Project/LOLBAS” — Living Off The Land Binaries And Scripts — (LOLBins and LOLScripts).
My first discover was a simple way to abuse Microsoft Windows Defender utility [“C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9–0\ConfigSecurityPolicy.exe”] to exfil data:
Atualizando meu parser para o pastebin, encontrei uma webshell em php bem interessante e resolvi decodar por curiosidade. Para esse tipo de análise sempre recomendo o uso do Cyberchef, basicamente um canivete suiço para coisas como criptografia, encoding, compressão e análise de dados, e essa será a única coisa que você irá necesssitar para reproduzir esse artigo e aplicar em outras ofuscações, encodes e análise de malwares relacionados.
The Win32_TemperatureProbe WMI class represents the properties of a temperature sensor (electronic thermometer).
Most of the information that the Win32_TemperatureProbe WMI class provides comes from SMBIOS. Real-time readings for the CurrentReading property cannot be extracted from SMBIOS tables. For this reason, current implementations of WMI do not populate the CurrentReading property. The CurrentReading property’s presence is reserved for future use.
Win32_TemperatureProbe has 35 properties:
reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\