Hello, welcome to the Friday, May 11th, 2018 edition of the Sandcent Storms, Stormcast.

My name is Johannes Ulrich and I am recording from Indianapolis, Indiana.

Just this week again when I'm teaching intrusion detection, I always demonstrate how easy it is to exfiltrate data with DNS using simple bash scripts.

Now in Windows, that's not quite as easy, but Boyan has an interesting script that he

posted today that allows the exfiltration of data using just standard Windows commands and only the standard Windows shell.

So no fancy PowerShell for this particular script.

One problem, for example, you have to solve is to convert binary files into something

that can be converted into a DNS host name.

Now in Unix, I always use the handy tool XXD to accomplish that in Windows,

Boyan here is using SERTutil.

Sertutil has the interesting feature where it can base 64 in code data, which gets you close enough to something that can then easily be exfiltrated via DNS.

So a neat little trick for the pen testers.

Now, from a defensive point of view, what I always recommend is to look at the volume of DNS queries. In particular,

these more isolated hosts tend to issue less DNS queries than your average hosts, so you

should be able to see anomalous spikes in activity. And criminals apparently have managed to

create a copycat application for the very popular

Bitcoin wallet Electrum. Now, Electrum is usually distributed at Electrum.org. And the Copycat

Wallet Electrum Pro, as it calls itself, can be found at Electrum.com.

Now, creating yet another Bitcoin wallet isn't really the problem here.

The problem is that the fake version of this wallet does exfiltrate the seat that's being

used to create the user's private key.

And with that, the people behind this fake wallet will be able

...