You are browsing the archive for Living off the land.

DownLOLoloaders

February 19, 2021 in Anti-Forensics, Compromise Detection, Living off the land, Reusigned Binaries

The previous posts about hosts files build a foundation for the trick I wanted to cover in this post.

Most of native LOLBINish downloaders are already known (certutil, BITS, etc.).

I thought it could be an interesting idea to explore a large world of signed binaries that are not native to OS with an intention of using them to communicate with a external world.

Being signed makes them attractive. Being marked as ‘green’ by VirusTotal makes them super-attractive because they are legitimate. For the purpose of the trick working they only need to fulfill one (or two?) requirement(s) – they need to download stuff w/o interaction and immediately execute it. With that in mind I started combing my ‘good files’ repo and quickly found a few candidates.

Immediately after start they kick off a GET request:

… and once the bin file is downloaded, it’s executed.

There are lots of signed samples like this available.

The last bit to make it work is ‘instrumentation’ of the DNS lookups. This is where the hosts files’ modification can come handy. And of course, a more complex and clandestine approach would be to reverse engineer RPC calls to directly modify entries inside the DNS Cache (these retrieved with ipconfig.exe via DnsGetCacheDataTableEx API).

Once the DNS lookups are in place, the downloader will reach out to an attacker controlled IP where it can download stuff from (this may require some additional set up to handle paths passed to the server, maybe HTTPS, if necessary).

Misre-presentation host

February 8, 2021 in Living off the land, LOLBins

PresentationHost.exe is a known LOLBIN so I approached it with a caution.

To my surprise, I discovered that it accepts a number of command line arguments:

  • Embedding – running as a server (?)
  • Debug – enables debugging (see next point)
  • DebugSecurityZoneURL – specifies XBAP URL used for debugging as per this old article
  • Event – ?
  • LaunchApplication — launch ClickOnce application
  • RegServer – registers server
  • UnregServer – unregisters server

Apart from DebugSecurityZoneURL that may be useful in some scenarios, my attention focused on the LaunchApplication. Not because it can launch ClickOnce application, but because it… launches iexplore.exe if it cannot find anything to launch.

And as it turns out it relies on a environment variable value while resolving the path to iexplore.exe. In certain configurations (32-bit presentationhost.exe executed in a 64-bit environment) it allow us to launch application of our choice. That is, new lolbin is born.

If we fake the value of ProgramW6432

set ProgramW6432=c:\test

and then launch

c:\windows\syswow64\PresentationHost.exe foo

It will attempt to launch Internet Explorer\IEXPLORE.EXE from a folder ProgramW6432 refers to e.g. c:\test\Internet Explorer\IEXPLORE.EXE:

As a side note, I am providing a copy of the article I referred to just in case it disappears from web. archive.org: