Description
Creates a Group Policy Object to run an ImmediateTask on the target system.
Overview
This SpecterScript automates the deployment of a Group Policy Object (GPO) that creates a firewall rule specified by the operator. This firewall rule can be used to allow remote command and control traffic or impair host defenses from being able to communicate. A common way of utilizing this script is to deploy a firewall rule that blocks event reporting from AV/EDR solutions prior to throwing a payload on the target system.
The operator can optionally configure a Security Filter to limit what users or systems this policy will be applied to. For example, if you wanted to target WKST-001.lab.net and have this firewall rule only apply to that system, then you would put that in as the ComputerFilter argument.
Parameters
| Name | Type | Description |
|---|---|---|
| Username | string | The username for authentication. |
| Password | string | The password for authentication. |
| Domain | string | The domain to connect to. |
| DomainController | string | The domain controller to connect to. |
| PolicyName | string | The name of the GPO to create. |
| ComputerFilter | string | The hostname of the computer to apply the GPO to. Example: ‘WKST-001′ or WKST-001.lab.net’ |
| Name | string | The name of the rule. |
| Description | string | The description of the rule. |
| ExecutablePath | string | The full path to the executable or the name of a process (e.g. ‘test.exe’). |
| Protocol | string | The protocol for the rule. NOTE: Must be ‘TCP’ or ‘UDP’ to enable port filters. Allowed values: ‘Any’, ‘IPv4’, ‘TCP’, ‘UDP’. |
| Direction | string | The direction the firewall rule applies. Allowed values: ‘In’, ‘Out’, ‘Both’. |
| Action | string | The action to take on matching traffic. Allowed values: ‘Allow’, ‘Block’. |
| LocalPorts | string[] | Comma-separated list of local ports (source for outbound or destination for inbound rules). Example: ’80, 135-139′ |
| RemotePorts | string[] | Comma-separated list of remote ports (destination for outbound or source for inbound rules). Example: ’80, 135-139′ |
| LocalAddresses | string[] | Comma-separated list of local addresses (source for outbound or destination for inbound). Example: ‘192.168.1.5’, ‘192.168.10.20-192.168.10.30’, ‘192.168.25.0/24’ |
| RemoteAddresses | string[] | Comma-separated list of remote addresses (destination for outbound or source for inbound). Example: ‘192.168.1.5’, ‘192.168.10.20-192.168.10.30’, ‘192.168.25.0/24’ |