Summary
The purpose of this version is to provide a pre-configured virtual machine to make it easier to get up and running with SpecterInsight. Just download the OVF, import, and run! Additionally, this version comes with a new module containing a set of high performance commands to interact with the Windows API to extract event logs. This new module is leveraged by two new SpecterScripts for extracting credentials from the Windows Event Logs.
Release Notes
Features
- EventLog Module. This new module provides a set of high performance commands to extract Windows Event Logs. Exposed commands include:
- Get-Events
- Start-EventSubscription
- Get-EventSubscription
- Stop-EventSubscription
- SpecterInsight Virtual Machine. This is a pre-configured Kali Linux VM with SpecterInsight installed as a service along with its dependencies. Just login and run the SpecterInsight client. No other work required. You can find more details at SpecterInsight VM.
- Dependencies pre-installed
- PostgreSQL docker container installed and configured
- ELK docker container installed and configured
- Kibana dashboards pre-loaded
- SpecterInsight server installed as a service
- SpecterScripts. This release comes with the following SpecterScripts:
Screenshots
Extracting Credentials from the Windows Event Log
This release came with a new credential harvesting technique to extract credentials from the Windows Event Log. Credentials can get logged in events such as 4688 when CommandLine logging is enabled. This is great for defenders, but also opens up an avenue of attack.
This SpecterScript extracts logs and runs a set of custom tailored regular expressions to extract username and password fields from commandline arguments.
This new SpecterScripts depends upon a high performance Windows Event Log parsing cmdlet called Get-Events. It can extract and parse 15K events into easy to manage PSObjects in a under two seconds compared to the 2 – 3 minutes you would get with Get-WinEvent.
The screenshot to the right shows a set of extracted credentials by running this SpecterScript.