00. Architecture and Compoments

Overview

This tutorial will provide you with the fundamental knowledge of the various SpecterInsight components required to accomplish the subsequent tutorials.

Components

SpecterInsight Server

The SpectersInsight server is the core component of the application. It is a cross-platform, multi-threaded, .NET application. It leverages kestrel for hosting an HTTP/S API for managing the server, handles requests from the client UI, manages SpecterScripts, modules, implants, and artifacts exfiltrated from deployed Specters, and handles all implant communications, command, and control. The server provides a multi-player environment for conducting red team, pen-testing, or threat emulation engagements. It provides secure communications by providing encryption and authentication via JSON web tokens.

Postgres Database

The SpecterInsight server depends upon a Postgres database in order to run. In fact, the server won’t start unless it can connect to and authenticate with a Postgres database. The database stores all of the data associated with SpecterInsight including listeners, sessions, tasks, output, artifacts, user authentication, and SpecterScripts.

SpecterInsight UI

The SpectersInsight UI is a cross-platform, .NET graphical user interface built on Avalonia. It provides a rich user interface for conducting operations. It connects to a single server and enables management of the server application.

Elasticsearch, Logstash, and Kibana

SpecterInsight provides integration with Elasticsearch, Logstash, and Kibana out-of-the-box enabling operators to keep oversight on the health of the infrastructure, keep track of the status of access and callbacks, and analyze data exfiltrated from deployed Specter implants.

Specters

The core implant of SpectersInsight is a cross-platform, .NET binary called a Specter. This implant is incredibly versatile and comes with a plethora of hosting environments and payloads that extend beyond the .NET runtime. SpectersInsight provides various payloads including a basic .NET binary, native Dynamically Linked Library and executable, native shellcode, and obfuscated PowerShell cradles.

These payloads setup and configure a secure environment for the Specter to operate in to include bypassing logging an the Anti-Malware Scan Interface.

Scroll to Top