Overview
SpecterScripts are a powerful tool for automating tedious red teaming tasks. Essentially, SpecterScripts are PowerShell scripts that are stored in the C2 server and can be referenced by operators in interactive sessions with the SpecterInsight implant. For example, there is a SpecterScript that automates a port scan of the local network. The operator simply has to select the SpecterScript and then click on the “Run in Background” button to task the implant.
Built-in SpecterScripts
The list below contains links to the documentation for all of the built-in SpecterScripts:
- AS-REP Roasting (Invoke-RubeusAsreproast)
- AV/EDR Silencer via Firewall Rule
- Background Screenshots
- Block All EDR Processes via WFP and Report Status
- Block All Running EDR Processes via WFP
- Block Process Outbound Traffic via WFP
- Certificate Enrollment (Invoke-RubeusCertenroll)
- Change Callback Interval
- Change Expiration Date
- Change Password via Kerberos (Invoke-RubeusChangepw)
- Clear Windows Event Logs via PowerShell
- Clear Windows Event Logs with Wevutil
- Compute Kerberos Hashes (Invoke-RubeusHash)
- Convert AS-REP to Kirbi (Invoke-RubeusASREP2Kirbi)
- Create /netonly Process (Invoke-RubeusCreatenetonly)
- Create Firewall Rule
- Create Firewall Rule with Group Policy Object (GPO)
- Create Netsh Port Proxy via Commandline
- Current LUID (Invoke-RubeusCurrentluid)
- Describe Ticket (Invoke-RubeusDescribe)
- Diamond Ticket (Invoke-RubeusDiamond)
- Disable Remote Desktop Protocol (RDP) via API
- Dump Tickets (Invoke-RubeusDump)
- Dump User Hashes
- Dump User Hashes Remotely
- Enable Remote Desktop Services (RDP) via API
- Enumerate Services and ACLs
- Exfiltrate File
- Exfiltrate Files
- Find Credential Files
- Find Password Files
- Find Unsecure Password Files
- Forge Golden Ticket (Invoke-RubeusGolden)
- Forge Silver Ticket (Invoke-RubeusSilver)
- Get Active WFP Block Rules
- Get All Open Connections via Commandline
- Get Antivirus Information
- Get ARP Entries
- Get Autologin Credentials
- Get Captured Keys
- Get Computers and IP Addresses in Active Directory
- Get Computers in Active Directory
- Get Connected Networks via API
- Get Credentials From Event Log
- Get Current Process Information
- Get Detailed Process Information
- Get DNS Cache via Commandline
- Get Domain Users via Commandline
- Get Event Log Subscriptions
- Get Firewall Profiles
- Get Group Policy Objects
- Get Host File Entries
- Get Installed Software
- Get Interfaces via API
- Get Local Group Information via API
- Get Local TCP Listeners
- Get Local Users via API
- Get Logon History
- Get Logon Statistics
- Get Most Recently Modified Microsoft Office Files
- Get Netsh Port Proxy via Commandline
- Get Network Interface Profiles
- Get Priviledge Escalation Vulnerabilities
- Get Profile Image Paths
- Get Recycle Bin Contents
- Get Scheduled Callbacks
- Get Screenshot
- Get Services
- Get SMB Security Settings
- Get SMB Shares
- Get Startup Commands
- Get Stored Passwords From the Windows Credential Manager
- Get System
- Get System Info via API
- Get System Info via Commandline
- Get System Route Table
- Get TCP Connections via API
- Get TCP Redirectors via API
- Get Tokens
- Get TraceRoute via API
- Get USB History
- Get WiFi Passwords Commandline
- Get Windows Defender Alerts
- Get Windows Interfaces via Commandline
- Ghost Task
- gMSA Password (Invoke-RubeusGmsapassword)
- Harvest TGTs (Invoke-RubeusHarvest)
- Increment Group Policy Object (GPO) Version
- Inject Shellcode
- Invoke Shadow Extract
- Kerberoasting (Invoke-RubeusKerberoast)
- Kerberos Brute Force (Invoke-RubeusBrute)
- Keylogger Background Exfil
- Kirbi Ticket Manipulation (Invoke-RubeusKirbi)
- Lateral Movement Using Service Control Manager and Custom Binary (PSExec)
- Lateral Movement Using Service Control Manager and PowerShell Cradle (PSExec)
- Lateral Movement with Group Policy Object (GPO)
- Lateral Movement with PowerShell Profiles
- Lateral Movement with Scheduled Tasks and PowerShell Cradle API
- Lateral Movement with Scheduled Tasks and PowerShell Cradle Commandline
- Lateral Movement with WinRM
- Lateral Movement with WMI and PowerShell Cradle via API
- Lateral Movement with WMI and PowerShell Cradle via Commandline
- List Files via API
- List Tickets (Invoke-RubeusKlist)
- Logon Session Info (Invoke-RubeusLogonsession)
- Migrate Process
- Migrate Process with Direct Syscalls
- Monitor TGTs (Invoke-RubeusMonitor)
- Pass the Ticket (Invoke-RubeusPtt)
- Password Spray (LDAP)
- Pause Callbacks
- Persistence Using Service Control Manager and Obfuscated Service Binary
- Persistence via New Local Administrator Commandline
- Persistence via Obfuscated Binary and Scheduled Task Commandline
- Persistence via Runkeys and Obfuscated Payload
- Persistence with PowerShell Profile and PowerShell Cradle
- Persistence with Startup Folder
- Ping Sweep Network
- Port Scan Local Network
- Port Scan Target System
- Pre-Auth Scan (Invoke-RubeusPreauthscan)
- Purge Tickets (Invoke-RubeusPurge)
- Ransomware Simulation
- Remote Command using WMI via Commandline
- Remote Command via WMI
- Remove All WFP Block Rules
- Remove Firewall Rule
- Remove Group Policy Object (GPO)
- Remove WFP Filter by ID
- Renew TGT (Invoke-RubeusRenew)
- Request Service Ticket (Invoke-RubeusAsktgs)
- Request TGT (Invoke-RubeusAsktgt)
- Request TGT with FAST (Invoke-RubeusAsktgtfast)
- Resolve Domain Names (DNS)
- Restart Computer
- Run In-Memory PE (Base64)
- Run Specter PowerShell Cradle as SYSTEM with Schtasks Commandline
- Run Specter PowerShell Cradle as SYSTEM with Schtasks Commandline
- S4U Delegation Attack (Invoke-RubeusS4u)
- Schedule Callback
- Service Name Substitution (Invoke-RubeusTgssub)
- Shadow Credentials (Invoke-RubeusShadowcred)
- Shadow Dump
- Show Loaded Modules
- Smb Scan Local Network
- Smb Scan Target System
- Spawn Inject
- Start Keylogger
- Start Monitoring Windows Event Logs for Credentials
- Start Process with Token
- Start TCP Redirector via API
- Steal Token
- Stop Event Log Subscriptions
- Stop Keylogger
- Stop Netsh Portproxy via Commandline
- Stop Scheduled Callback
- Stop TCP Redirector via API
- Survey UAC Bypass Techniques
- Suspend All Threads
- Suspend Process
- System Persistence with Scheduled Task Commandline and PowerShell Cradle
- System Persistence with WMI Event Subscription and PowerShell Cradle
- Terminate Session
- Test WMI
- TGT Delegation Trick (Invoke-RubeusTgtdeleg)
- TimeStomp File or Folder
- Triage Tickets (Invoke-RubeusTriage)
- User Access Control (UAC) Bypass
- User Access Control (UAC) Bypass
- User Persistence with Scheduled Task Commandline and PowerShell Cradle