Version 4.4.0: GPO Module and More SpecterScripts

Table of Contents

Overview

The purpose of this release was to deliver two new modules for post-exploitation activity and to provide options for impairing defenses such as AV, EDR, and monitoring tools. These are important tactics to be able to emulate to assess the security posture of a network. If the adversary can simply disable your tools when they land on a box or block their ability to report out, that’s a significant problem that needs to be identified and fixed. The new GPO module provides capabilities for lateral movement, persistence, and suppression of AV/EDR. It provides powerful features that take a complicated attack vector, such as lateral movement via GPO, and boils it down to a single button.

Features

  • Common Module:
    • Suspend-AllThreads cmdlet that can be used to disable system monitoring tools.
    • Suspend-Process cmdlet that can be used to disable system monitoring tools.
  • Firewall Module: This is a new module that can be loaded into a SpecterInsight implant to enable manipulation of the Windows Firewall.
    • FwRule-New creates a new local Windows Firewall rule.
    • FwRule-Remove removes a local Windows Firewall rule.
  • GPO Module. This is a new module that can be loaded into a SpecterInsight implant to enable creation and manipulation of Group Policy Objects for persistence, defense evasion, EDR suppression, and lateral movement.
    • Gpo-NewSession creates a new session with the specified domain or domain controller to enable remote modification of Active Directory and Group Policy.
    • Gpo-New cmdlet creates a new Group Policy Object on the target domain or domain controller.
    • Gpo-Get cmdlet retrieves Group Policy Objects from the domain using the specified filter.
    • Gpo-Remove cmdlet removes a Group Policy Object from the domain.
    • Gpo-IncrementVersion increments the policy version number so that it is re-applied to all linked systems.
    • Ad-GetDomain retrieves the root domain active directory entry.
    • Ad-GetDomainComputer retrieves the specified active directory computer entry.
    • Ad-GetDomainUser retrieves the specified active directory user entry.
    • Ou-New cmdlet creates a new Organizational Unit in the domain.
    • Ou-Get retrieves an Organizational Unit using the specified filter.
    • Ou-Remove removes an Organizational Unit using the specified filter.
    • Ou-MoveTo moves an Active Directory object to the specified Organizational Unit.
    • Ou-GetParent gets the parent of the current Active Directory object.
    • GpLink-Add links a Group Policy Object to an Organizational Unit and enforces it so any settings are applied downstream.
    • GpLink-Get gets a list of all Group Policy Objects assigned to an Organizational Unit.
    • GpLink-Remove removes a Group Policy Object from an Organizational Unit so that the settings are no longer applied.
    • Gpo-SecurityFilterAdd adds a security filter to the specified Group Policy Object so that it only applies to the specified user or computer.
    • Gpo-SecurityFilterGet lists security filters applied to the specified Group Policy Object.
    • Gpo-SecurityFilterRemove removes the specified security filter from the specified Group Policy Object.
    • Gpo-FwRuleAdd adds a firewall rule to the policy.
    • Gpo-ImmediateTaskAdd adds an immediate scheduled task to the specified Group Policy Object.
  • SpecterScripts:
    • Suspend All Threads. This script can be used to disable system monitoring tools.
    • Suspend Process. This script can be used to disable system monitoring tools.
    • Lateral Movement with Group Policy Objects (GPO). This script can be used to deliver targeted obfuscated payloads via scheduled tasks deployed with Group Policy Objects. Security Filters can be used to target specific computers with the domain.
    • Firewall Rule with Group Policy Object (GPO). This script can be used to deploy Windows Firewall rules to domain connected system via Group Policy Object. Security filters can be used to target specific computers in the domain.
    • AV/EDR Silencer via Windows Firewall. This script identifies AV/EDR processes and applies Windows Firewall rules blocking all network traffic to and from those processes. The targeted processes are reported to the operator.
    • New Firewall Rule creates a new firewall rule based on operator provided inputs.
    • Remove Firewall Rule deletes local firewall rules.
  • Bugs:
    • Fixed bug where certain AMSI bypass techniques were not being properly obfuscated, resulting in antivirus detections.
    • Fixed bug where the Hardware Breakpoint AMSI bypass would not compile with Add-Type because it was using C# features that was too new.
    • Fixed bug with PowerShell string obfuscation technique encode json where it failed on PowerShell 2.0 systems.
    • Improved defense evasion techniques in PowerShell payloads to avoid detection.
    • Fixed bug with Get-Screenshot where, in some cases, screenshots could not be captured.
Scroll to Top