Version 4.1.0: UI Improvements and More Payloads

Overview

The purpose if this release is to deliver a much requested UI feature and significant improvements to our payload pipeline capabilities that enabled the creation of four new Payload Pipelines. There are now pipelines that generate unique, obfuscated, and detection resistant payoads for LNK files, MSBuild XML files, and InstalUtil.exe compatible executables.

Features

  • UI
    • Added tabs to the InteractiveSession window so that you can C2 multiple implants.
    • Increased the size of the Command History panel in the Interactive Session window.
  • Payload Pipelines
    • Added a Windows Shell Binary Format file (LNK) pipeline that runs an embedded PowerShell cradle.
    • Added a Windows Shell Binary Format file (LNK) pipeline that embeds any operator specified command into the LNK file.
    • Added a Microsoft HTML Application Payload Pipeline that will run an embedded PowerShell cradle.
    • Added a Payload Pipeline to generate an MSBuild project XML file that runs a dynamically generated and obfuscated C# payload.
    • Added Get-WindowsLink cmdlet that can now be called in operator defined Payload Pipelines.
    • Renamed Bypass-CsAmsi to Add-CsAmsiBypass.
    • Added feature to Add-CsAmsiBypass to specify a specific method to insert the bypass method call.
    • Added the Hardware Breakpoint LdLoadDll AMSI bypass to the Add-CsAmsiBypass cmdlet and associated pipelines.
  • SpecterInsight Implant:
    • Added Get-Hash cmdlet to generate MD5, SHA1, or SHA256 hashed of strings or byte[] data. The purpose of this command is to support hashing of files for logging and IOCs for the blue team.
  • SpecterScripts:
    • Added Persistence via Startup Folder script that supports a variety of payloads.
    • Modified all persistence mechanisms that drop a payload to compute and log the SHA256 hashed of the payload. This helps teams track and identify red team artifacts.
  • Bugs:
    • Fixed bug where Payload Pipelines were no longer converting strings to objects automatically after the latest PowerShell version update. I personally feel that this is a PowerShell bug, not a SpecterInsight bug… but I fixed it nonetheless.
    • Fixed bug where the command history did not update when changing the history size.

Screenshots

Manage Multiple Implants with the Interactive Session Window

Operators can now quickly and easily manage multiple interactive sessions at the same time using tabs at the top of the window.

RuntimeInstaller Payload Pipeline

This new pipeline generates an obfuscated, detection resistent .NET executable that can be run by InstallUtil.exe to bypass or evade defenses.Once launched, it downloads and runs the specified .NET module. This can be either a SpecterInsight pipeline OR a .NET module histed at the operator provided URL.

Threat actors leverage InstallUtil.exe, a legitimate .NET Framework utility, as a Living-Off-The-Land Binary (LOLBin) to execute malicious payloads. InstallUtil.exe is used to install and uninstall server resources by executing the installation logic defined in the Install method of a .NET assembly. Malicious actors misuse this functionality to execute arbitrary code during the installation process.

We assessed this new pipeline against VirusTotal and were able to evade detection against most endpoint scanners with a total detection rate of 7 of 72 or 9.7%, which isn’t too bad for a repeatable process since each new payload will be significantly different than previously generated payloads.

LNK File Payload Pipeline with Embedded Command

This pipeline embeds the specified command inside of a a Windows Shell Binary Format (.LNK) file. When the LNK file is launched (either via double-clicking on the icon or through some other mechanism such as Startup Folder persistence), the operator provided command will be executed.

LNK File Payload Pipeline with Embedded PowerShell Cradle Command

This pipeline generates a staged PowerShell cradle command using the specified parameters and embeds that commannd inside of a a Windows Shell Binary Format (.LNK) file. When the LNK file is launched (either via double-clicking on the icon or through some other mechanism such as Startup Folder persistence), the internal PowerShell command will be run.

Scroll to Top