Attackers may need to download some tools to perform different actions on victim machine. Mostly, these can be some tools to help scan networks to move laterally, or make the attacker permanent on the victim machine. Whatever itself, there are many ways to do it and all of them are very easy to perform.
Here, my victim machine is a Windows 10 client, and I assume that we already exploited the victim’s machine and have a reverse connection. Now, I will create a web server on the attacker machine, so I can download from my web server in victim’s machine. (These works will be a demo for T1105)
Then I copied putty.exe to transfer to the victim. I am checking whether the web server is working or not;
Ingress File Transfer with Powershell
The first way to transfer file we try is powershell. Let’s execute the command below in our C&C terminal to download putty.exe in the victim’s machine and check the file;
“iwr” in the command stands for Invoke-Web Request which is a command in MS Powershell utility. Used to send HTTP and HTTPS request to a web page or a web service.
Ingress File Transfer with Certutil
Certutil.exe is a native Windows binary that is part of the certificate services. You can use certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains (Src: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil).
Attackers uses certutil.exe as a memory-only downloader via built-in -ping argument (Founded by researcher Casey Smith (@SubTee)).
Let’s type the command on C&C connection in the victim’s machine;
This command will download putty.exe that we located in our web server at the beginning.
IoC for Detecting Downloading via Certutil
Everyone can create their own IoC to detect this method, according to their own structure. This IoC looks for -ping and -urlcache arguments in certutil.exe (Src: fireeye.com).
| THIS | ||
| process | equal | certutil.exe |
| AND | ||
| processCmdLine | contains | http: |
| AND | ||
| processCmdLine | contains | -urlcache |
| AND | ||
| processCmdLine | matches | (weather\.gov|http://localhost/|noaa\.gov|\.crl) |
Ingress File Transfer with wget
wget is a package supports downloading files via HTTP, HTTPS, FTP and FTPS. It can be used easily in scripts since it has a nonn-interactive structure. With using C&C connection, let’s run the command below on the victim’s machine;
