Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Alternative Ways To Perform Basic Tasks

Published: 2021-05-06
Last Updated: 2021-05-06 05:58:30 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I like to spot techniques used by malware developers to perform basic tasks. We know the lolbins[1] that are pre-installed tools used to perform malicious activities. Many lolbins are used, for example, to download some content from the Internet. Some tools are so powerful that they can also be used to perform unexpected tasks. I found an interesting blog article[2] describing how to use curl to copy files!

C:\Users\REM> curl file://c:\test\test.txt -o newfile.txt

Do you want another example? Some tools can be diverted from their regular use like ping.exe:

C:\Users\REM\Desktop>ping -n 5 127.0.0.1

This command will send five Echo-Request ICMP packets at an interval of one second so it will complete after approximately five seconds. Using ping.exe is not very discreet because a new process will be launched and can be spotted by a tool like Sysmon. Do you know a lot of non-tech people that use ping on their corporate computer? 

But ping.exe can be very useful for malware to detect if the computer can resolve hostnames and has Internet connectivity. Instead of using the ping command, you can use Powershell to achieve this:

Yesterday, I found a malicious PowerShell script that uses another technique that I never saw before. This time, the technique is based on a WMI query!

Conclusion: Keep in mind that attackers can use multiple techniques to perform simple tasks and defeat your detection rules and/or controls.

If you already met other techniques, please share!

[1] https://lolbas-project.github.io
[2] https://www.hexacorn.com/blog/2021/05/02/curo-bin/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

May 2021 Forensic Contest
May 5th 2021
1 day ago by Brad (0 comments)

Quick and dirty Python: masscan
May 4th 2021
2 days ago by Rick (0 comments)

Important Apple Updates
May 4th 2021
2 days ago by Rick (0 comments)

PuTTY And FileZilla Use The Same Fingerprint Registry Keys
May 2nd 2021
4 days ago by DidierStevens (0 comments)

YARA Release v4.1.0
May 1st 2021
4 days ago by DidierStevens (0 comments)

Qiling: A true instrumentable binary emulation framework
Apr 30th 2021
6 days ago by Remco (0 comments)

From Python to .Net
Apr 29th 2021
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

API port data
created Apr 25th 2021
1 week ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 weeks ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
2 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
2 months ago by astraea (0 replies)

PFSense
created Dec 23rd 2020
4 months ago by bas.auer@auerplace.nl (6 replies)

View All Forums →

Latest News

Top Diaries

Maldocs: Protection Passwords
Feb 28th 2021
2 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Qakbot infection with Cobalt Strike
Mar 3rd 2021
2 months ago by Brad (0 comments)

Fun with DNS over TLS (DoT)
Mar 1st 2021
2 months ago by Rob VandenBrink (0 comments)

Adversary Simulation with Sim
Mar 2nd 2021
2 months ago by Russ McRee (0 comments)