Description
Injects a specter into the specified process using direct system calls.
Overview
This script injects a specter into another running process using direct system calls for the purpose of defense evasion or privilege escalation. The target process can be specified by either PID or name. If migratng by name, the first matching process will be injected, and all remaining processes will be ignored. The architecture of the shellcode will be selected based on the bitness of the target process (i.e. if the target process is 32-bit, then the shellcode selected will be x86). After succesful injection, there will be two total sessions, one in the source process and one in the target process.
Arguments
| Parameter | Type | Description |
|---|---|---|
| Process | string | The name or PID of the target process to inject Specter shellcode. If using a process name, the first matching instance will be injected with a Specter while any remaining matches will be ignored. |
| Technique | string | Specifies the process injection method to use for execution in the target process. |
Techniques
| Technique | Description | Employment Considerations |
|---|---|---|
| Classic | This is the standard OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread injection method. It is heavily signaturized, but reliable. | Relatively easily detected by EDR is logged by Sysmon event ID 8. |
Dependencies
- Direct
Limitations
- Cannot inject from a 32-bit process to a 64-bit process.
Example Text Output
Example of successful injection.
PID : 1632
Username : DESKTOP-LMCH70V\helpdesk
Path : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Build : https
Technique : Classic