Description
Generates a Windows Shell Binary Format (.LNK) file that embeds an obfuscated PowerShell command produced by the ps_command pipeline.
Overview
This pipeline invokes the ps_command pipeline to generate a fully obfuscated PowerShell command and embeds it inside a Windows Shell Binary Format (.LNK) file. When the LNK file is launched the embedded command runs PowerShell and loads the SpecterInsight payload into memory.
Parameters
| Parameter | Type | Description |
|---|---|---|
| UseCommandPrompt | boolean | If true, the command is executed via cmd.exe. Leave false and supply a full executable path when not using cmd.exe. |
| ShowCommand | Enum | Controls how the target window is displayed (e.g. SW_HIDE, SW_SHOWMINIMIZED, SW_SHOWMAXIMIZED). |
| DownloadTechnique | PowerShellDLECradleTechnique | Cradle download technique. Values: NewWebRequest, DownloadString, MsxmlHttpRequest, WinHttpRequest, Random. Default: Random. |
| LaunchTechnique | PowerShellDLELauncherTechniqueType | Script launch technique. Values: InvokeExpression, PipeInvokeExpression, ScriptBlockInvoke, PowerShellInvoke, Random. Default: Random. |
| CertificateValidationTechnique | PwshCertificateValidationTechnique | SSL/TLS cert bypass technique. Values: None, ScriptBlock, AddType, Random. Default: ScriptBlock. |
| MemberExpressionTechnique | PwshInvokeMemberTechnique | Member expression obfuscation technique. Values: Invoke, CodeMethod. Default: Invoke. |
| StringsTechnique | PwshStringObfuscationTechnique | String obfuscation technique. Values: Random, Base64, Concat, Escape, Format, Reverse, Shuffle, Delta, Interleave, Otp, Substitution, Xor, Preferred. Default: Preferred. |
| Technique | PowerShellLauncherTechnique | Launcher technique. Values: Command, EncodedCommand. Default: EncodedCommand. |
| WindowStyle | ProcessWindowStyle | Window style. Default: Hidden. |