Version 3.0.0: Payload Pipelines

Summary

The purpose of this version is to provide a mechanism for users to build pipelines to generate unique, obfuscated .NET and PowerShell payloads that can bypass endpoint defense products to gain execution. SpecterInsight has been internally using custom-made libraries for .NET and PowerShell obfuscation for payload generation, but we wanted to open that functionality up to the operator so that they can generate payloads for SpecterInsight or for any other C2 product. Operators should be able to insert their own custom .NET loader and leverage SpecterInsight obfuscation techniques to create a pipeline that generates a unique obfuscated binary every single time you run the pipeline.

Release Notes

Features

  • Feature: Payload Pipelines
    • Replaced the old payload system with Payload Pipelines. All SpecterInsight payloads now run internal Payload Pipelines.
    • Payload Pipelines: These are PowerShell scripts defined by the operator that run on the server and generate obfuscated .NET or PowerShell payloads. This allows operators to write a new dropper, loader, or cradle and obfuscate it in such a way that endpoint protection software won’t detect and quarantine it.
    • C# Obfuscation Commands:
      • Get-CsShellcodeInjector: Generates C# code to inject shellcode.
      • Get-CsLoadModule: Generates C# code to reflectively load and execute an embedded .NET module.
      • Get-CsLoadModuleFromURL: Generates C# code to reflectively load and execute a .NET module downloaded from the specified URL.
      • Get-CsPwshScriptLoader: Generates C# code to execute a PowerShell script internally.
      • Obfuscate-CsVariables: Takes in C# code and randomizes variable names.
      • Obfuscate-CsClassNames: Takes in C# code and randomizes class names and namespaces.
      • Obfuscate-CsStrings: Takes in C# code and obfuscates strings with a variety of techniques.
      • Obfuscate-CsByteArrays: Takes in C# code and obfuscates byte arrays that are commonly signaturized (e.g. shellcode or assembly instructions for an API call hook).
      • Add-AmsiBypass: Inserts an AMSI bypass into the provided shellcode.
      • Compile-CSharp: Takes in C# code and compiles .NET executables or .NET DLLs compatible with .NET 2.0+, .NET 4.8+, and Native AOT.
    • PowerShell Obfuscation Commands:
      • Get-PwshScriptLoader: Generates a PowerShell script to run another PowerShell script.
      • Get-PwshLoadModuleFromURL: Generates a PowerShell script to reflectively load and execute a .NET module downloaded from the specified URL.
      • Obfuscate-PwshVariables: Takes in a PowerShell script and randomizes variable names.
      • Obfuscate-PwshStrings: Takes in a PowerShell script and obfuscates strings contained in the script.
      • Out-PwshCommand: Takes in a PowerShell script and generates a command to run the script.
    • Payload Pipeline arguments that enable pipelines to be called with operator defined input.
    • Payload Pipeline Editor:
      • Define payload pipelines using PowerShell scripts.
      • Standard fields: Name, description, documentation, type, output format, etc.
      • Create, update, and delete payload pipelines.
      • GUI for testing payload pipelines.
    • Obfuscation Improvements
      • C# Base64 string obfuscation now adds randomization to mitigate detection techniques that can see through the Base64 encoding.
      • C# BinaryWriter string obfuscation now adds randomization to mitigate detection techniques.
      • Improved C# AMSI bypasses to mitigate detection signatures.
    • New Payload Pipelines
      • ps_amsi_byass: Generates an obfuscated PowerShell AMSI bypass.
      • ps_generic_dotnet_stager: Generates an obfuscated PowerShell script to load and run a .NET module from a user specified URL.
      • ps_generic_stager: Generates an obfuscated PowerShell script to load and run a PowerShell script from a user specified URL.
      • ps_generic_stager_command: Generates a Windows command to download and run a PowerShell stager from a user specified URL.
      • cs_generic_dotnet_stager: Generates a .NET module to download and run a .NET module from a user specified URL.
  • Feature: SpecterScripts
    • Improved Persistence via New Local Administrator Commandline script by enabling remote access.
  • Feature: Specter Commands
    • Get-Payload command that can be executed within any running specter to active a payload pipeline on the server and retrieve the results. This can be used to generate new payloads to embed within a SpecterScript.
    • New Cmdlets
      • Get-RegKeyValue cmdlet to query remote registry key values.
      • Set-RegKeyValue cmdlet to set remote registry key values.
      • Remove-RegKeyValue cmdlet to remove remote registry key values.

Bug Fixes

  • Fixed issue where .NET pretty formatting was tanking performance.
  • Fixed variable name obfuscation issue where parameter variables in anonymous functions were replaced in the body, but not in the function definition.
  • Fixed bug in PowerShell reverse string obfuscation where the output string did not properly escape single quote characters.
  • Fixed bug in PowerShell member to string conversion where some outputs were not PowerShell 2.0 compatible.
  • Fixed bug in Lateral Movement with WMI and PowerShell Cradle via API where the correct process ID new process was incorrectly reported.
  • Fixed bug in PoweShell Profile persistence mechanism to ensure the script execution policy allows the running of scripts.
  • Fixed bug where the NativeAOT compiler would not run on Kali Linux.
  • Fixed bug where SpecterInsight.Server.Host would not start unless it was at least four folders deep in the file structure (voted #1 most ridiculous bug fixed this release).
  • Fixed bug where the Lateral Movement with Scheduled Tasks and PowerShell Cradle API SpecterScript would generate two callbacks.
  • Fixed bug where the Set-ExpirationDate command did not update the Interactive Session UI.
  • Fixed bug in the PowerShell Function obfuscation method where nested calls would cause an out-of-bounds exception.
  • Fixed multiple bugs where string and alias obfuscation would not work when executing ScriptBlocks remotely or with Start-Job.
  • Fixed bug in multiple .NET payloads where a secure SSL/TLS session could not be established due to policy conflict.

Screenshots

Define Pipelines for Payload Generation

Payload Pipelines allow operators to define scripts for generating new payloads. These scripts are then hosted by the SpecterInsight C2 server and run whenever requested to generate new, obfuscated payloads on demand.

The screenshot to the right shows the Payload Pipeline editor window which can be used to create, test, and run Payload Pipelines.

The payload pipeline script in the top editor is a PowerShell script that generates new payloads when executed. This particular script generates new Anti-Malware Scan Interface (AMSI) bypasses by randomly selected one of the AMSI bypass techniques and then obfuscating it with built-in obfuscation cmdlets. The end result is an obfuscated AMSI bypass in the lower editor window.

Built-in Obfuscation Tools for C# and PowerShell

SpecterInsight new provides built-in C# and PowerShell obfuscation techniques out-of-the-box that can be used to develop your own payload pipelines.

A list of provided obfuscation commands can be viewed in the Payload Pipeline Editor. Selecting each one will show a description, documentation, parameter sets, and examples of how to use them.

You can combine these with your own C# or PowerShell payloads to emulate a variety of obfuscation techniques to test your security tools and network defenders.

Define Parameters for Your Payload Pipelines

You can create custom parameter sets for your payload pipelines by defining parameter blocks at the top of the script. These parameter blocks get rendered into UI controls for easy use by operators.

Additionally, you can provide parameters to your payload pipelines whenever you generate them. This can be done via HTTP/S request or using the Get-Payload cmdlet within the SpecterInsight implant.

Compile and Download C#/.NET Payloads

SpecterInsight provides you with options for creating payload pipelines to obfuscate and compile C# to .NET executables and modules. Once you’ve generated a new payload, the download button option appears allowing you to retrieve your newly created payload.

There are two primary compilation options for C# code:

  1. .NET Framework: This method compiles your C# payload source code to .NET Framework 2.0+ or 4.0+ and is compatible with .NET Framework, .NET Core, and .NET 5 and beyond.
  2. Native Ahead-of-Time (AOT): This method compiles your C# payload source code to native binaries that can be extremely small. We’ve spent a lot of time optimizing this compilation method to generate payloads that are only a few hundred kilobytes in size!

Currently, SpecterInsight supports targeting two .NET Framework versions:

  1. .NET 2.0+: This Framework Version is compatible with operating systems all the way back to stock versions of Windows Vista. These programs are also forward compatible with all subsequent versions of .NET.
  2. .NET 4.0+: This Framework Version comes with a lot of really nice features that make payload development a bit easier, but this version will generate executables that only run if .NET 4.0 or later is installed, so it won’t work on older systems.

Built-in Payload Pipelines

SpecterInsight provides several built-in payload pipelines to get you started. You can view the payload pipelines from the Payload Pipeline tab in the main menu. From there you can create, edit, enable/disable, delete, export, and import your payload pipelines.

Generate New Payloads for Lateral Movement and Persistence from the Implant

You can active your payload pipelines by issuing the Get-Payload cmdlet to an active Specter implant. The implant will reach back to the C2 server and activate the pipeline and pull down a fresh payload.

This can be combined with SpecterScripts for reliable payload generation for lateral movement or persistence.

Scroll to Top