Release Notes
Features
- Added support for dynamically generating operator command GUI’s by parsing SpecterScript parameter blocks.
- Parameter sets.
- Support for the following types:
- string
- bool
- int
- long
- float
- double
- TimeSpan
- DateTime
- Validation sets for enumerated values
- Validation patterns via regex
- Implant Build enumerated type
- Pass operator specified arguments to script on execution
- Three control types:
- TextBox
- ComboBox
- ToggleSwitch
- Added feature to enable or disable scripts so that disabled scripts do not show up as available in interactive sessions.
- Added Name and Description fields to all implant tasks.
- Added Name and Description fields to data augmentation pipeline for all task type records.
- Restructured SessonInfo panel to more efficiently utilize available space.
Updates
- Updated client UI to Avalonia 11.
Bug Fixes
- Fixed issue where selected an item in the ScriptSearcher resets the scroll to the top.
- Fixed bug where SpecterScript version can sometimes decrement instead of always incrementing.
- Fixed bug where the path history lookup throws an unhanded exception if the last folder path no longer exists.
- Fixed bug where Windows DLL payload could not be downloaded.
Screenshots and GIFs
SpecterScript Parameter Interface
With SpecterInsight 1.1.0, you can now define SpecterScript parameters in code that will be rendered in the CommandBuilder. this makes executing parameterized scripts more intuitive and gives an opportunity to perform input validation. Additionally, certain types of parameters can be auto filled by adding an additional Parameter Attribute.
In the example to the right, the TimeStomp SpecterScript defines five parameters and two parameter sets. The Path, Recurse, and Sync parameters are common across both parameter sets as annotated by the two Parameter attributes for each of those parameters.
The Source parameter is specific to the “Mirror” parameter set and specifies a path to a another file to mirror or copy timestamps from.
The Timestamp parameter is specific to the “Explicit” parameter set and specifies an exact DateTime to be applied to each of the specified files.
param(
[Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = "A path to a file or directory to timestomp.")]
[Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = "A path to a file or directory to timestomp.")]
[ValidateNotNullOrEmpty()]
[string]$Path,
[Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = "Recursively timestomp all files and folders in the specified directory to include the top level directory.")]
[Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = "Recursively timestomp all files and folders in the specified directory to include the top level directory.")]
[bool]$Recurse = $false,
[Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = "Move the file to synchronize NTFS timestamps with our stomped value.")]
[Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = "Move the file to synchronize NTFS timestamps with our stomped value.")]
[bool]$Sync = $false,
[Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = "A file or directory whose timestamps will be copied to the target file.")]
[ValidateNotNullOrEmpty()]
[string]$Source = 'C:\Windows\explorer.exe',
[Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = "The exact time to change to.")]
[DateTime]$Timestamp = [DateTime]::UtcNow
)
load common;
if(![string]::IsNullOrEmpty($Source)) {
timestomp $Path -Source $Source -Recurse:$Recurse -Sync:$Sync
} else {
timestomp $Path -TimeStamp $Timestamp -Recurse:$Recurse -Sync:$Sync
}Default Values
Default values for SpecterScripts can now be generated dynamically by specifying a PowerShell ScriptBlock as the default for a parameter. The SpecterInsight UI will execute that script to generate the default value. That value will then be used as the default in the UI control.
For example, the “Change Expiration Date” SpecterScript defines a single parameter where the default value will be 30 days from the current date, so every time an operator adds this script to the command builder, a new default date will be rendered that is 30 days out.
param(
[Parameter(Mandatory = $true, HelpMessage = "The new expiration date in UTC.")]
[DateTime]$ExpirationDate= [DateTime]::UtcNow.AddDays(30)
)
Set-ExpirationDate -Expiration $ExpirationDate
Get-ExpirationDate
SpecterScript Parameter Validation
SpecterInsight now supports parameter validation through one of four methods:
- ValidationSet: Validates that the user input is restricted to a specific list of acceptable values. This turns the parameter into a ComboBox containing only the enumerated values.
- ValidationPattern: Validates that the user input matches a particular regular expression. If you add 2 or more ValidationPattern attributes, then only one has to match to validate.
- ValidateNotNull: Validates that the user input is not null.
- ValidateNotNullOrEmpty: Validates that there is at least some amount of text (i.e. the TextBox can’t be empty).
The example to the right is the parameter block for the “Persistence with PowerShell Profile and PowerShell Cradle” SpecterScript. The Profile parameter is converted two a ComboBox in the UI with only “User” and “System” values available for operators to select. The second parameter, Build, has a “[Build]” attribute applied, so it will pull a list of all available implant builds and populate a ComboBox for operator selection. This ensures that only viable inputs are selectable by the operator.
param(
[Parameter(Mandatory = $true, HelpMessage = "The PowerShell profile type to use for persistence. The User profile will only run when PowerShell instances are created under the context of the current user.")]
[ValidateSet('User', 'System')]
[string]$Profile = 'User',
[Parameter(Mandatory = $true, HelpMessage = "The Specter build identifier.")]
[ValidateNotNullOrEmpty()]
[Build]
[string]$Build
)
SpecterScript Enable/Disable Toggle
SpecterScripts can now be configured to be enabled or disabled. This limits the search when conducting interactive operations through a deployed Specter. Potentially, there are scripts you may not want available during an operation, or perhaps a script is in draft or maybe that technique is barred due to rules of engagement.
