ps_sct_file

Description

Generates an SCT scriptlet file that embeds an obfuscated PowerShell command produced by the ps_command pipeline.

Overview

Generates a COM scriptlet (.sct) file whose script section invokes an obfuscated PowerShell command produced by the ps_command pipeline.

Requirements

TLS certificate required for HTTPS listeners. The embedded PowerShell command downloads the implant from the SpecterInsight listener at runtime. regsvr32 executes the scriptlet in a constrained .NET environment where the default ScriptBlock cert bypass may fail. Use a valid, CA-signed TLS certificate on your HTTPS listener, or set CertificateValidationTechnique = None when using an HTTP listener.

Parameters

Parameter Type Description
DownloadTechnique PowerShellDLECradleTechnique Cradle download technique. Values: NewWebRequest, DownloadString, MsxmlHttpRequest, WinHttpRequest, Random. Default: Random. \r\n LaunchTechnique PowerShellDLELauncherTechniqueType Script launch technique. Values: InvokeExpression, PipeInvokeExpression, ScriptBlockInvoke, PowerShellInvoke, Random. Default: Random. \r\n CertificateValidationTechnique PwshCertificateValidationTechnique SSL/TLS cert bypass technique. Values: None, ScriptBlock, AddType, Random. Default: ScriptBlock. \r\n MemberExpressionTechnique PwshInvokeMemberTechnique Member expression obfuscation technique. Values: Invoke, CodeMethod. Default: Invoke. \r\n StringsTechnique PwshStringObfuscationTechnique String obfuscation technique. Values: Random, Base64, Concat, Escape, Format, Reverse, Shuffle, Delta, Interleave, Otp, Substitution, Xor, Preferred. Default: Preferred. \r\n Technique PowerShellLauncherTechnique Launcher technique. Values: Command, EncodedCommand. Default: EncodedCommand. \r\n WindowStyle ProcessWindowStyle Window style. Default: Hidden.
Scroll to Top