SpecterInsight v5.0.0: EventViewer, Stability Fixes, and UX Improvements

Overview

The main focus of this release is the EventView feature which provides an operational event log in the UI client so that teams can track all events happening on the server and it provides better insight into potential issues encountered during engagements. Additionally, there have been some stability issues that we have addressed including bugs with PSExec, msbuild, service binary payload generation, and the HardwareBreakPointAmsiScanBuffer bypass. Those issues have now been fixed to improve reliability. Lastly, we’ve addressed several highly anticipated user experience features including the ability to un-archive a session, delete a session, and give each session a nickname and notes. Check out the feature list below for the full list.

Features

  • SpecterScripts:
    • Get Windows Defender Alerts gets a list of the latest Windows Defender alerts on a target system.
  • Server EventLog
    • New UI to monitor server events related to operations.
    • Logged events now include:
      • session-new
      • session-checkin
      • session-errors
      • session-task-queued
      • session-task-deployed
      • session-task-completed
      • session-module-load
      • session-file-upload
      • session-file-download
      • session-tunnel-started
      • session-tunnel-connected
      • session-tunnel-disconnected
      • session-tunnel-stopped
      • payload-requested
      • payload-generated
      • payload-retrieved-from-cache
      • payload-cached
      • payload-cache-expired
      • payload-delivered
      • user-create
      • user-login
      • user-delete
  • UI Improvements:
    • Session nicknames can now be added to make it easier to track.
    • Notes in markdown can be added to sessions.
    • Sessions can now be restored (un-archived).
    • Sessions can now be fully deleted.
  • Bug Fixes:
    • Fixed bug in Get Logon Statistics to load the EventLog module.
    • Fixed issue where msbuild payloads were incompatible with older msbuild versions.
    • Fixed bug where the ServiceManager was not be opened with sufficient rights resulting in failed PSExec lateral movement and Service persistence techniques.
    • Fixed bug with PowerShell Service Binary payload that would occasionally result in invalid C# code.
    • Fixed bug where HardwareBreakpointAmsiScanBuffer C# AMSI bypass would sometimes fail when certain data structures were not allocated with 16-byte alignment.

Screenshots

EventLog

The EventLog module provides a running list of all the events happening on the server. Every single payload that is generated, cached, and delivered to the target is recorded here along with context relevant information such as file hash.

User Experience

You can now add a nickname for each session to make tracking easier. Additionally, operators can now restore archived sessions or straight up delete them along with all of the stored data associated with that session.

Scroll to Top