Specter Insight
ACHIEVE YOUR OBJECTIVES
SpecterInsight is a cross-platform, post-exploitation command and control framework based on .NET for red team engagements, threat emulation, and training.
Fast | Powerful | Easy to Use
“SpecterInsight streamlines our operations and makes challenging or tedious procedures repeatable and reliable.”
Components and Features
C2 Server
The cross platform command and control server is written in .NET provides a multi-threaded web API for managing specters (implants), storing data in the database, performing data augmentation, and weaponizing payloads.
- Multiplayer C2 server
- Windows 10+ | Linux
- Multiple listeners/protocols
- Unique C2 profiles per implant build
- Upload/store/create SSL/TLS certificates
- LetsEncrypt support
- Manages exfiltrated files
- Updates product and SpecterScripts on demand
- Obfuscation pipelines for generating detection resistant payloads
Implants
The core implant is a .NET 2.0+ compatible binary containing a PowerShell 2.0+ compatible interpreter. Multiple droppers are provided to safely load the implant on target with a variety of defense evasion techniques.
- Windows Vista+ | Linux
- .NET 2.0+ | PowerShell 2.0+
- Beaconing implant
- HTTP/S
- Commands output objects
- Objects serialized over C2 channel
- Enables easy data analysis
- Asynchronous background commands
- Simultaneous execution of commands
- Upload/Download files
- Tunnel over C2 connection
- AMSI bypass
- PowerShell logging suppression
- Multiple process injection techniques
- Multiple persistence techniques
- Highly modular
- Upload any .NET binary in memory
GUI
SpecterInsight ships with a fully featured cross platform GUI built on AvaloniaUI and SignalR for real-time command and control. The UI provides a modern, clean interface for tasking implants and reviewing output in plain text, json, or tabular format.
- Windows 10+ | Linux
- HTTPS
- Username/password authentication
- Generate implants
- Configure listeners
- Manage certificates
- LetsEncrypt support
- Countdown to next callback per session
- View command history/output
- Supports text, json, and tabular formats
- Realtime updates
- Build SpecterScripts in PowerShell
- Easily lookup scripts and documentation to insert into command window
- View exfiltrated files
Analysis
The core implant serializes output from commands to JSON and automatically performs data augmentation before shipping the data off to an ELK stack configured with pre-built dashboards for analysis.
- Performs data augmentation
- Adds GeoIP to command output
- Collects events and command output
- Ships to Elastic
- Creates pre-built Kibana dashboards
- Creates network graphs from host or network command output
- Records all captured creds
- Records all persistence laydowns
- Tracks all lateral movement events
- Provides uninstall script for each persistence technique
- Maps events and commands to MITRE ATT&CK matrix
Key Features
SpecterScripts are PowerShell scripts to command and control deployed specters. The implant provides built-in cmdlets for doing special actions like loading modules from the C2 server into memory, exfiltrating data, and changing the configuration of the specter.
You can filter through scripts by category or contents to find the right technique quickly. The screenshot above demonstrates a filter for all PowerShell persistence techniques. Notice that all persistence install scripts output an uninstall command. Additionally, the installation is recorded in ELK for visualization so you never forget or lose your persistence during an engagement.
SpecterInsight also ships with an editor to write your own SpecterScripts. It comes with options for adding name, description, labels, and documentation in markdown.
SpecterScripts are written as though you were typing commands directly into a PowerShell terminal. No complex escaping required.
SpecterScripts
SpecterInsight ships with pre-built tactics, techniques, and procedures, for lateral movement, C2, discovery, reconnaissance, defense evasion, persistence, and exfiltration.
# Built-in Scripts
Elasticsearch Integration
Output from specter implants is returned in a JSON format with fields and values. The output is augmented and shipped off to Elasticsearch. SpecterInsight ships with pre-built dashboards for operations, reconnaissance, and reporting.
# Pre-Built Dashboards
# Pre-Built Visualizations
This dashboard shows gives you a timeline of specterimplant events such as register, check-in, and post-results. Data is enriched with IP geolocation information so that your accesses can be visualized on a world map.
This dashboard summarizes reconnaissance data collected from all of your deployed specters.
This dashboard shows details about all of the persistence mechanisms dropped during the engagement. There are summary visualizations at the top that show the OS, method, and profile summary statistics. Then a data table lists every system persistence was established along with the type, trigger, and an uninstall script for easy removal.
Never lose track of your persistence mechanisms. SpecterInsight records all of the details related to each unique persistence technique. In this case, it recorded the username and password created for persistence. Additionally, SpecterInsight generates an uninstall script that will remove the persistence and clean up any artifacts.
The Sessions page lists key information about active or archived specter sessions. This includes host info such as machine id, hostname, domain, user, and architecture. Additionally, there is a countdown timer until the next callback so that you know exactly when the specter will check-in next.
The interactive session window gives operators a rich interface for orchestrating a single specter session. The “Session Info” pane shows key host details and a check-in countdown. The “SpecterScripts” pane allows operators to lookup TTPs to execute and loads them into the “Command Editor” which sends commands to the specter. The “Command History” pane allows operators to browse all current and previous command output in text or JSON format. Additionally, command errors with detailed error messages and the original command itself can be viewed here.
Clean User Interface
SpecterInsight delivers the richest, cleanest, and most intuitive interface for managing your implants. Command and Control has never been this easy.
- Command output JSON view
- Command output plaintext
- Command history
- Detailed error information
- Countdown until the next check-in
- TTP lookup and documentation viewer
- No escape sequences, just plain PowerShell
Defense Evasion
SpecterInsight integrates a variety of defense evasion techniques out-of-the-box to give you a secure shell for conducting operations.
- AMSI bypasses
- Logging bypasses
- Fully integrated PowerShell Obfuscation
- Dozens of PowerShell Cradles
- Fully integrated C# Obfuscator
- Process injection
- Payload Generation HTTP Endpoints
- Native AOT Compilation of obfuscated C#
Obfuscated cradles are hosted on the C2 server for a download and execute payloads. This feature is integrated into SpecterScripts to enable the generation of detection resistant payloads for persistence, privilege escalation, and lateral movement.
Licensing
Accounts
Free Trial
Projects
SSL
Your Text
EVALUATION LICENSE
Free
1 USER
Never expires!
Full product
1 user
No commercial use
3 active implant sessions
5 custom SpecterScripts
1U ANNUAL LICENSE
Normally $500
$100
PER USER
with discount code SPECTER2024
Full product
1 user
Commercial use
Unlimited sessions
Unlimited custom SpecterScripts
5U ANNUAL LICENSE
Normally $450
$90
PER USER
with discount code SPECTER2024
Full product
5 users
Commercial use
Unlimited sessions
Unlimited custom SpecterScripts
10U ANNUAL LICENSE
Normally $400
$80
PER USER
with discount code SPECTER2024
Full product
10 users
Commercial use
Unlimited sessions
Unlimited custom SpecterScripts
Contact us here for special licensing requests.
Gallery
From the “Listeners” page, you can manage all of the implant handler port configurations. You can add, remove, enable, and disable listeners. 
From the “Certificates” page, you can manage all of the SSL/TLS certificates you need for your operation. You can upload custom certificates, generate self-signed certificates, and generate LetsEncrypt certificates. 
SpecterInsight allows you to generate self-signed certificates to get up and running, but recommend using valid SSL/TLS certificates or LetsEncrypt for actual engagements. 
SpecterInsight supports LetsEncrypt SSL/TLS certificate generation from the UI. 
From the “Implants” page, you can generate new Specter configurations and download payloads in a variety of formats. 
There are a variety of options available when generating a new Specter implant including interval, window, callback URLs, user-agent string, defense evasion options, and an expiration date. 
The startup script will run prior to registering the new session with the server. You can put custom logic here to verify the target environment and make sure it is suitable for post-exploitation. 
The expiration script will run after the implant expires or the “burnoff” command is issued. This script will run in a child process. 
From the “Sessions” page, you can manage all of the active or archived sessions. Here you can see Specters running in multiple host environments such as PowerShell on Ubuntu, PowerShell on Windows, process injected into explorer.exe, and running as a native executable. 
From the “Scripts” page, you can manage all of the SpecterScripts available for tasking to deployed Specters. 
The interactive session window shows summary information on the target, provides a countdown until the next check-in, a SpecterScript lookup panel, command editor, and command history reviewer. 
An interactive session with a deployed Specter. The UI provides rich features for loading pastables, tasking the implant, and viewing results. 
The results from commands pass through a data augmentation pipeline that embed additional fields. The results can then be viewed in text or JSON format. 
Exceptions from commands are captured and serialized back for easily viewing and troubleshooting. They are displayed in a separate tab so that they don’t clutter your workspace. 
From the “Settings” page, all server settings can be configured and saved. Most services will accept changes without requiring a restart. 
ELK dashboard showing the persistence laydown for a particular engagement. The discovery panel at the bottom lists every system persistence is on as well as an uninstall script to remove the peristence. 
ELK dashboard showing summary stats on C2 actions (e.g. register, check-in, post-results), callback interval histogram, C2 event timeline, and a geomap of callbacks.
Videos
