Version 4.3.0: SpecterScripts, Payload Pipelines, and new AMSI Bypass

Table of Contents

Summary

The purpose of this release was to continue improving the payload pipeline obfuscation features, add a new AMSI bypass technique to the kit, and publish a few new SpecterScripts.

Features

  • SpecterScripts:
    • Get Installed Software. Retries a list of installed software via WMI either locally or remotely.
    • Modified Get Antivirus Info to work locally or remotely.
    • Lateral Movement with WinRM with integrated AMSI bypass and two sub-techniques.
      • ps_cradle: deploys a PowerShell cradle that loads a SpecterInsight implant.
      • cs_load_module: deploys a .NET loader as an argument to the WinRM command which reflectively loads a SpecterInsight implant.
    • Get User Logons script to pull user logon events from the Windows Event log either locally or remotely. This uses the SpecterInsight high-performance log reader.
    • Get User Logon Statistics pulls summary information about user logons and the logon type. This is useful for identification and targetting of users within the environment.
  • Payload Pipelines:
    • cs_amsi_bypass: customizable pipeline that generates an obfuscated, compiled .NET executable that executes the specified AMSI bypass.
    • cs_amsi_bypass_code: customizable pipeline that generates the C# source code for various AMSI bypass techniques that includes the obfuscation.
    • cs_load_module: customizable pipeline that generates a .NET module that will load a SpecterInsight implant.
    • cs_shellcode_loader: customizable pipeline that generates an obfuscated, compiled .NET executable with integrated AMSI bypass that will download and inject shellcode into the current process.
    • Get-CsAmsiBypass cmdlet to generate C# code for the specified AMSI bypass.
    • Get-TemporaryFile cmdlet secures a temporary file for use during the execution of a Payload Pipelines.
    • Integrated a new AMSI bypass technique using hardware breakpoints to catch all calls to AmsiScanBuffer. The bypass then sets the return value to AMSI_RESULT_NOT_DETECTED and sets the RIP to the return address, effectively mitigating any data passed to the installed AV. This technique is not mitigated by Windows Defender.
  • Bug Fixes:
    • Fixed bug where thread lock would occur due to too small of a thread pool.
    • Fixed bug in UI string[] input parsing where quoted strings were incorrectly split.
    • Fixed bug in HardwareBreakpointLdrLoadDll C# AMSI bypass.
    • Fixed bug in Obfuscate-CsMethodNames where arguments to the nameof operator fail to be obfuscated.
    • Fixed bug in Obfuscate-CsClassNames where it would fail to obfuscate struct names.
    • Fixed bug in Payload Pipeline arguments where old parameters were incorrectly cached, preventing the operator from changing them.
    • Fixed bug in Obfuscate-CsMethods where generic method calls were not renamed.
Scroll to Top