Description
This script loads a SpecterInsight implant onto the remote system by creating and executing a service that runs a PowerShell command that reflectively loads a Specter.
Overview
This script leverages the Service Control Manager API to create and execute a remote service on the operator specified system using impersonation or username and password. The service runs a PowerShell command that downloads and executes an obfuscated script to load a Specter. The service is run under the NT AUTHORITY\SYSTEM account.
Arguments
- Target: The IP address or hostname of the system to run the cradle.
- Username: The local or domain username to authenticate with.
- Password: The password for the specified user.
- Build: The Specter build identifier.
- ServiceName: The name of the service to create on the remote system.
Operating Systems
- Windows
Dependencies
- common
- lateral
Pre-Requisites
- Valid credentials for the target systems.
- Service Control Manager
- Firewall permissions to establish RPC connections
- Server Service
- Administrative Shares enabled
- Firewall permissions allowing SMB connections
Example Output
{
"Lateral": {
"Username": "[email protected]",
"Build": "8af164d0e3d5487f821b85760b4ffb51",
"ServiceName": "SpecterSvc",
"Success": true,
"Method": "System Sevice",
"System": "192.168.1.103",
"Payload": "ps_command"
}
}