SpecterInsight

Specter Insight

ACHIEVE YOUR OBJECTIVES

Fast | Powerful | Easy to Use

“SpecterInsight streamlines our operations and makes challenging or tedious procedures repeatable and reliable.”

Components and Features

storage

C2 Server

The cross platform command and control server is written in .NET provides a multi-threaded web API for managing specters (implants), storing data in the database, performing data augmentation, and weaponizing payloads.

  • Multiplayer C2 server
  • Windows 10+ | Linux
  • Multiple listeners/protocols
  • Unique C2 profiles per implant build
  • Upload/store/create SSL/TLS certificates
  • LetsEncrypt support
  • Manages exfiltrated files
  • Updates product and SpecterScripts on demand
  • Obfuscation pipelines for generating detection resistant payloads
bug_report

Implants

The core implant is a .NET 2.0+ compatible binary containing a PowerShell 2.0+ compatible interpreter. Multiple droppers are provided to safely load the implant on target with a variety of defense evasion techniques.

  • Windows Vista+ | Linux
  • .NET 2.0+ | PowerShell 2.0+
  • Beaconing implant
  • HTTP/S
  • Commands output objects
  • Objects serialized over C2 channel
  • Enables easy data analysis
  • Asynchronous background commands
  • Simultaneous execution of commands
  • Upload/Download files
  • Tunnel over C2 connection
  • AMSI bypass
  • PowerShell logging suppression
  • Multiple process injection techniques
  • Multiple persistence techniques
  • Highly modular
  • Upload any .NET binary in memory
desktop_windows

GUI

SpecterInsight ships with a fully featured cross platform GUI built on AvaloniaUI and SignalR for real-time command and control. The UI provides a modern, clean interface for tasking implants and reviewing output in plain text, json, or tabular format.

  • Windows 10+ | Linux
  • HTTPS
  • Username/password authentication
  • Generate implants
  • Configure listeners
  • Manage certificates
  • LetsEncrypt support
  • Countdown to next callback per session
  • View command history/output
  • Supports text, json, and tabular formats
  • Realtime updates
  • Build SpecterScripts in PowerShell
  • Easily lookup scripts and documentation to insert into command window
  • View exfiltrated files
equalizer

Analysis

The core implant serializes output from commands to JSON and automatically performs data augmentation before shipping the data off to an ELK stack configured with pre-built dashboards for analysis.

  • Performs data augmentation
  • Adds GeoIP to command output
  • Collects events and command output
  • Ships to Elastic
  • Creates pre-built Kibana dashboards
  • Creates network graphs from host or network command output
  • Records all captured creds
  • Records all persistence laydowns
  • Tracks all lateral movement events
  • Provides uninstall script for each persistence technique
  • Maps events and commands to MITRE ATT&CK matrix

Key Features

Scripts

SpecterScripts are PowerShell scripts to command and control deployed specters. The implant provides built-in cmdlets for doing special actions like loading modules from the C2 server into memory, exfiltrating data, and changing the configuration of the specter.

Filtering

You can filter through scripts by category or contents to find the right technique quickly. The screenshot above demonstrates a filter for all PowerShell persistence techniques. Notice that all persistence install scripts output an uninstall command. Additionally, the installation is recorded in ELK for visualization so you never forget or lose your persistence during an engagement.

Editor 1

SpecterInsight also ships with an editor to write your own SpecterScripts. It comes with options for adding name, description, labels, and documentation in markdown.

Editor 2

SpecterScripts are written as though you were typing commands directly into a PowerShell terminal. No complex escaping required.

build

SpecterScripts

SpecterInsight ships with pre-built tactics, techniques, and procedures, for lateral movement, C2, discovery, reconnaissance, defense evasion, persistence, and exfiltration.

# Built-in Scripts

92

View All SpecterScripts

equalizer

Elasticsearch Integration

Output from specter implants is returned in a JSON format with fields and values. The output is augmented and shipped off to Elasticsearch. SpecterInsight ships with pre-built dashboards for operations, reconnaissance, and reporting.

# Pre-Built Dashboards

6

# Pre-Built Visualizations

32

Command and Control

This dashboard shows gives you a timeline of specterimplant events such as register, check-in, and post-results. Data is enriched with IP geolocation information so that your accesses can be visualized on a world map.

Network Discovery

This dashboard summarizes reconnaissance data collected from all of your deployed specters.

Persistence

This dashboard shows details about all of the persistence mechanisms dropped during the engagement. There are summary visualizations at the top that show the OS, method, and profile summary statistics. Then a data table lists every system persistence was established along with the type, trigger, and an uninstall script for easy removal.

Persistence Details

Never lose track of your persistence mechanisms. SpecterInsight records all of the details related to each unique persistence technique. In this case, it recorded the username and password created for persistence. Additionally, SpecterInsight generates an uninstall script that will remove the persistence and clean up any artifacts.

Infrastructure
Credentials
Sessions

The Sessions page lists key information about active or archived specter sessions. This includes host info such as machine id, hostname, domain, user, and architecture. Additionally, there is a countdown timer until the next callback so that you know exactly when the specter will check-in next.

Interactive

The interactive session window gives operators a rich interface for orchestrating a single specter session. The “Session Info” pane shows key host details and a check-in countdown. The “SpecterScripts” pane allows operators to lookup TTPs to execute and loads them into the “Command Editor” which sends commands to the specter. The “Command History” pane allows operators to browse all current and previous command output in text or JSON format. Additionally, command errors with detailed error messages and the original command itself can be viewed here.

keyboard

Clean User Interface

SpecterInsight delivers the richest, cleanest, and most intuitive interface for managing your implants. Command and Control has never been this easy.

  • Command output JSON view
  • Command output plaintext
  • Command history
  • Detailed error information
  • Countdown until the next check-in
  • TTP lookup and documentation viewer
  • No escape sequences, just plain PowerShell
gps_not_fixed

Defense Evasion

SpecterInsight integrates a variety of defense evasion techniques out-of-the-box to give you a secure shell for conducting operations.

  • AMSI bypasses
  • Logging bypasses
  • Fully integrated PowerShell Obfuscation
  • Dozens of PowerShell Cradles
  • Fully integrated C# Obfuscator
  • Process injection
  • Payload Generation HTTP Endpoints
  • Native AOT Compilation of obfuscated C#
  • Incorporate your own payloads into Payload Pipelines
Payload Pipelines

Write scripts to that define obfuscated .NET and PowerShell payloads. Activating these pipelines runs the script which generates a new obfuscated payload. The script in the upper editor of the screenshot above is the Payload Pipeline Script. The “Text Output” panel at the bottom is the obfuscated PowerShell script generated by clicking the “Test” button. The output will be unique by randomly selecting different defense evasion techniques, payload templates, and randomized obfuscation techniques.

Obfuscated Scripts

Obfuscated cradles are hosted on the C2 server for a download and execute payloads. This feature is integrated into SpecterScripts to enable the generation of detection resistant payloads for persistence, privilege escalation, and lateral movement.

Licensing



Accounts

Free Trial

Projects

SSL

Your Text

EVALUATION LICENSE

Free

1 USER

Never expires!

Full product

1 user

No commercial use

3 active implant sessions

5 custom SpecterScripts

1U ANNUAL LICENSE

Normally $500 

$100

PER USER

with discount code SPECTER2024

Full product

1 user

Commercial use

Unlimited sessions

Unlimited custom SpecterScripts

5U ANNUAL LICENSE

Normally $450

$90

PER USER

with discount code SPECTER2024

Full product

5 users

Commercial use

Unlimited sessions

Unlimited custom SpecterScripts

10U ANNUAL LICENSE

Normally $400

$80

PER USER

with discount code SPECTER2024

Full product

10 users

Commercial use

Unlimited sessions

Unlimited custom SpecterScripts

Contact us here for special licensing requests.

Gallery

Videos

Tutorials

00. Architecture and Compoments

Overview This tutorial will provide you with the fundamental knowledge of the various SpecterInsight components required to accomplish the subsequent tutorials. Components SpecterInsight Server The SpectersInsight server is the core component of the application. It is a cross-platform, multi-threaded, .NET application. It leverages kestrel for hosting an HTTP/S API for managing the server, handles requests from the client UI, manages SpecterScripts, modules, implants, and artifacts exfiltrated from deployed Specters, and handles all implant communications, command, and control. The server provides a multi-player environment for conducting red team, pen-testing, or threat emulation engagements. It provides secure communications by providing encryption and...

Read more ...

01. Installation

This tutorial covers installation of the server on various operating systems. Debian Linux This guide will walk you through installing SpecterInsight on most Debian distributions including Kali and Ubuntu. This tutorial assumes that you have already registered an account and downloaded SpecterInsight. Install Postgres SpecterInsight leverages Postgres as the back end data store for all data that needs to be retrieved by server application. The easiest way to setup Postgres is to run a docker container. We'll demonstrate setting up a container locally as an example. docker run --name postgresql -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=postgres -p 5432:5432 -v /data:/var/lib/postgresql/data -d postgres...

Read more ...

02. Apply License

Overview This tutorial will show you how to apply a license using the SpecterInsight client UI. This tutorial assumes that you have already purchased a license for SpecterInsight. Navigate to the License Page After connecting to a server, you can tell if the product is unlicensed when an orange banner appears at the top of the screen that says, "This server is unlicensed." In the client UI, expand the "Administration" menu and select "License" to bring up the license page. The license status and key details are shown in the "Current License" pane. Apply License Click on the "Add or...

Read more ...

03. ELK Integration

SpecterInsight supports unique integrations with ElasticSearch, Logstash, and Kibana (ELK) out-of-the-box. Command output from your deployed Specters comes back as objects with properties that are then augmented and shipped off to ElasticSearch. This means that you can search your command history in Kibana on specific fields. Example This concept is probably easier to convey with a concrete example. If you fire up SpecterInsight, interact with one of the Specters that is beaconing back, and issue the script shown below, the Specter will pick up and execute that script during the next checkin. The output of the script will then be...

Read more ...

04. Managing Certificates

Introduction Managing certificates has always been tedious which is why SpecterInsight has a dedicated UI just for certificate management in order to make that work as easy as possible for the operator. Out-of-the-box, SpecterInsight will generate two new self-signed SSL certificates: one for the management API and one for implant C2 channels. These will be sufficient for installation and evaluation; however, these certificates, particularly the certificate for C2 should be changed for any contracted engagements. I assume that the fields of the default certificates will be signaturized very quickly and self-signed certificates can be a read flag to network defenders....

Read more ...

05. Listeners

Overview In this tutorial, you will learn how to create listeners with SpecterInsight. Viewing Listeners After logging into a server, select Operations > Listeners. You should see a screen similar to the one shown here that lists all of the enabled or disabled listeners. Adding a Listener Click on the "Add" button to create a new Listener. The "Prefix" allows the operator to specify the protocol, interfaces, and ports for the listener. PrefixDescriptionhttp://+Binds to all interfaces on port 80 for unencrypted HTTP connections.http://192.168.1.101:8080Binds to the interface with the IP 192.168.1.101 on port 8080 for unencrypted HTTP connections.https://+:8443Binds to all interfaces...

Read more ...

Scroll to Top