Version 4.0.0: Direct System Call Module, Process Injection, and New AMSI Bypass

Summary

The purpose of this version is to improve SpecterInsight’s defense evasion capabilities by providing a direct system call module and additional process injection techniques. Lastly, this version comes with a brand new AMSI bypass technique.

Release Notes

Features

  • Defense Evasion.
    • New process injection techniques:
      • Direct system call injection using CreateRemoteThread
      • QueueUserAPC injection
      • SuspendInjectResume
    • New integrated AMSI bypass technique
    • Operators can now select which AMSI bypass technique to use when building a new implant
  • Implant.
    • Added callback scheduler to get callbacks at specific times
    • Old variables are now cleared out between background commands
  • Modules.
    • Direct system call module
    • System call injection cmdlet
  • Quality of Life.
    • Added SpecterScript name column to the command history window.
    • Added implant nicknames.
  • SpecterInsight-VM.
    • Kibana now listens on 0.0.0.0 so that it can be accessible remotely.
    • Many dashboard improvements.
  • SpecterScripts.

Screenshots

UI Improvements

This release came with an improved command history window that now shows the name of the SpecterScript that was executed. This makes it easier for an operator to locate critical information that they need to reference later on during the engagement instead of having to go looking for it through unnamed tasks.

Another feature is implant nicknames. Previously you had to remember a 32 digit hex string and what that meant. Turns out, humans aren’t good at remembering that kind of thing. We now allow operators to provide nicknames for the implant. SpecterInsight will suggest a random name if it doesn’t matter to you.

There is also increased visibility into implant configuration settings that will be shown at the bottom of the screen whenever you select an implant.

Scroll to Top