Description
Injects a specter into the specified process.
Overview
This script injects a specter into another running process using standard Windows APIs for the purpose of defense evasion or privilege escalation. The target process can be specified by either PID or name. If migratng by name, the first matching process will be injected, and all remaining processes will be ignored. The architecture of the shellcode will be selected based on the bitness of the target process (i.e. if the target process is 32-bit, then the shellcode selected will be x86). After succesful injection, there will be two total sessions, one in the source process and one in the target process.
Arguments
| Parameter | Type | Description |
|---|---|---|
| Process | string | The name or PID of the target process to inject Specter shellcode. If using a process name, the first matching instance will be injected with a Specter while any remaining matches will be ignored. |
| Technique | string | Specifies the process injection method to use for execution in the target process. |
Techniques
| Technique | Description | Employment Considerations |
|---|---|---|
| Classic | This is the standard OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread injection method. It is heavily signaturized, but reliable. | Relatively easily detected by EDR is logged by Sysmon event ID 8. |
| SuspendInjectResume | This method is also referred to as thread hijacking. It works by injecting shellcode into the target process using the standard OpenProcess, VirtualAllocEx, and WriteProcessMemory but uses a combination of SuspendThread, GetThreadContext, SetThreadContext, and ResumeThread to modify the instruction pointer of the target thread to the shellcode we inject. | This method is not guaranteed to work. It depends upon finding a thread that can be hijacked. Ultimately, we must find a thread that is either executing or in an alertable wait state, which may not always be the case. This method will attempt to find a suitable thread, but will timeout after 30 seconds if unsuccessful. No shellcode will be injected until a suitable thread is suspended. |
| QueueUserAPC | This method injects an asynchronous procedure call into the APC queue of a target process to execute the shellcode injected with OpenProcess, VirtualAllocEx, and WriteProcessMemory. The thread will then execute that call when it is popped off of the APC queue. | This technique is also not reliable. It depends upon being able to find a thread that is in an alertable state. It is challenging to determine whether or not a thread will ever end up pulling from the APC queue. |
Dependencies
- Lateral
Limitations
- Cannot inject from a 32-bit process to a 64-bit process.
Example Text Output
Example of successful injection.
PID : 1632
Username : DESKTOP-LMCH70V\helpdesk
Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Build : https
Technique : Classic