You are browsing the archive for Living off the land.

Samir is my hero aka colab on browserexport

October 1, 2020 in Archaeology, Living off the land

Samir pinged me about his research into c:\Windows\System32\browserexport.exe, and after few back and forth we cracked some of the command line arguments this program accepts. I then promised Samir that I won’t publish a blog post about it. So this his me keeping my promise. Not.

Luckily to us, browserexport.exe is an easy read in Ida Pro. We also found good references to this .exe inside the btrowserbroker.dll file that helped us to guess what is required for the program invocation. After some quick code eyeballing we have extracted a number of interesting command line wannabe arguments:

  • ALL
  • COOKIES
  • FAVICONS
  • FORMDATA
  • HEURISTIC
  • HISTORY
  • LOGINS
  • LOWCOOKIES
  • SETTINGS

Analysis of code confirmed that the program requires at least 4 arguments so after some more digging we came up with command line arguments that actually worked:

browserexport.exe "" ie11 all foo4

where:

  • “” is a GUID which we don’t exactly know what it is, but it’s only used for exports from IE11; could be related to the GUID of the IE user profile (?),
  • IE11 is just one of the browsers supported by the tool; all the supported browsers are
    • CHROME
    • IE11
    • QIHOO360SE
    • QQBROWSER
  • all – one of the options listed above and below (we have not tried other options assuming that ALL means, well… all)
    • ALL
    • COOKIES
    • FAVICONS
    • FORMDATA
    • HEURISTIC
    • HISTORY
    • LOGINS
    • LOWCOOKIES
    • SETTINGS
  • foo4 — output file name

Have a go and run this command. You will be surprised how much data is saved to foo4. it’s a nice JSON file that includes something along these lines (and I don’t use IE11 too much):

{
"MigrationData": {
"browser": "IE11",
"history": [
{
"title": "…",
"url": "…",
"LastAccessed": …
},
{
"title": "….",
"url": "…",
"LastAccessed": …
},
],
"logins": [

],
"cookies": [
{
"name": "…",
"value": "…",
"domain": "…",
"path": "…",
"dwFlags": …,
"ftExpires": …,
"fExpiresSet": …
},
]
}
}

We feel that BrowserExport.exe is a close cousin of ExtExport.exe. In fact, both are referenced by btrowserbroker.dll. Neither of them can be considered a Lolbin, but then again.. that’s a lot of exportable value they both present w/o any effort from malware authors.

certutil – one more GUI lolbin

August 23, 2020 in LOLBins

Cerutil is a very complex tool and only careful review of all its options allows us to comprehend its rich functionality. Lots of its command line arguments are described online all over the place and as such, what I present below is not new. However, AFAICT it has not been covered in a context of lolbining and as such, perhaps deserves some attention.

Project LOLBAS describes at least two ways of downloading files via certutil. Here is the third one:

certutil -URL https://www.google.com

This will launch a GUI window for a program called URL Retrieval Tool:

Once you hit Retrieve button you will get the ‘Failed’ status, but… the file that URL points to will be now downloaded into %APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash> file (thx to @OsandaMalith for pointing out a mistake in the path).