Overview
This tutorial will show you how to generate custom Specters (our term for implants).
Background Knowledge
The core implant for SpecterInsight is a .NET 2.0+ compatible binary referred to as a specter. The specter implant contains an internally hosted PowerShell 2.0+ compatible shell. Additionally, there are wrappers that encapsulate your specters to give them different running environments and allows this product to support a broad range of defense evasion techniques.
Payloads
The following payloads are generated every time you create a new specter:
| Payload | Obfuscated | Description |
|---|---|---|
| .NET Binary | No | The core SpecterInsight implant that can run in either 32-bit or 64-bit environments. |
| Win32 DLL | No | A native 32-but or 64-bit DLL wrapper that will securely load a specter into memory. |
| Win32 EXE | No | A native 32-bit or 64-bit executable wrapper that will securely load a specter into memory. |
| Win32 SRDI | No | A native 32-bit or 64-bit shellcode wrapper that uses Shellcode Reflective DLL Injection that will securely load a specter into memory. |
| PowerShell Script | Yes | An obfuscated PowerShell cradle that will securely load a specter into memory. |
| PowerShell Command | Yes | A PowerShell command that will run a PowerShell process that will download an obfuscated PoweShell cradle that will securely load a specter into memory. |
| PowerShell URL | Yes | A URL that will return an obfuscated PowerShell Script when a GET request is issued. |
| CSharp URL | No | A URL that will return the core SpecterInsight implant when a GET request is issued. |
| CSharp Load Module | Yes | An obfuscated .NET executable containing an AMSI bypass that will reflectively load a specter into memory. |
| CSharp PowerShell Host | Yes | An obfuscated .NET executable containing an AMSI bypass that will start an internal PowerShell instance to download and run a PowerShell cradle to load a specter into memory. |
| CSharp Service Load Module | Yes | The same as the CSharp Load Module but compiled as a service binary compatible with the Windows Service Manager. |
| CSharp Service PowerShell Host | Yes | The same as the CSharp PowerShell Host but compiled as a service binary compatible with the Windows Service Manager. |
| CSharp Shellcode Inject | Yes | An obfuscated .NET executable that will download a shellcode loader to inject a specter into the current process. |
Payload Options
SpecterInsight comes with a variety of configuration options to customize your specter to emulate a specific adversary or to change the behavior to achieve your specific engagement objectives. The following table summarizes the various options:
| Option | Examples | Description |
|---|---|---|
| Identifier | 7e541b7403fe4abebf2d5938c922be22 | An alphanumeric identification string for this particular implant build. |
| URLs | https://www.evil.com; https://103.56.32.163 https://localhost | A semi-colon seperated list of callback URLs using the specified protocol. |
| Connection Policy | Fallback Random | Fallback – the implant will try the last successful URL first and then try the remaining URLs in the order specified by the operator. Random – the implant will try the last successful URL first and then try the remaining URLs in a random order. |
| Interval | 4 hours 0 minutes 2h30m | The minimum interval between specter checkins. |
| Window | 30 minutes 53 seconds 1h22m41s | A length if time after the interval when a specter will randomly checkin. |
| User Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 | The UserAgent string the specter will use when interacting with the C2 server. |
| Certificate Validation | True False | Should the specter verify the C2 server SSL certificate using the local certificate store or not. This can help prevent Man-in-the-Middle attacks against your specters, but may prevent successful callbacks if the SSL certificate is not trusted by the environment. |
| AMSI/Logging Bypass | True False | Should the native payloads employ AMSI and logging bypasses prior to loading the specter. |
| Environment Parameters | LOG_PARAMS | This is the name of the environment variable the specter will check to find runtime configuration settings in key/value pair format. |
| Expiration Date | 22 August 2023 at 14:23 | The date and time in GMT that the specter will expire and shutdown. |
| Startup Script | $system = Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem | Select Name, Domain if(!$system.Domain.EndsWith(“.target.net”, [StringComparison]::InvariantCultureIgnoreCase)) { burnoff; } | A PowerShell script that runs prior to registration. This can be used to survey the environment to make sure it is safe to execute in, prevent duplicate specters from running, or to run an initial recon survey. The example ensures that the specter will only run if it runs in the target.net domain, otherwise the specter will burnoff. |
| Expiration Script | schtasks /DELETE /TN ‘CacheTask’ /F; [Environment]::SetEnvironmentVariable(‘GPO_AUX’, $null, ‘Machine’) | A PowerShell script that runs just prior to shutdown either from the “burnoff” command or the expiration date is reached. This can be used to cleanup artifacts from the engagement such as persistence mechanisms. The example script here removes the persistence method by deleting the scheduled task. |
Generate a New Implant
Navigate to Implants Page
Use the menu bar to navigate to Operations > Implants.
Configure Options
Click the “Add” button to create a new implant configuration.
Configure the options as required for your use case. We configure the specter to callback over HTTPS port 443 to 192.168.1.101 every 15 to 30 minutes. Here are some other possible options you could use for the Interval and Callback fields:
- 5 seconds
- 5s
- 20m37s
For this particular scenario, we already know that our target is a Windows Active Directory environment with a domain called target.net. We configure a startup script that verifies the domain or exits. This ensures that our malware does not execute in sandboxed environments or non-target networks.
We have also configured an expiration script to delete a scheduled task. If you already know the persistence mechanism you want to use, then you can pre-bake an uninstall script so that the specter cleans up after itself. When combined with a reasonable expiration date, you can ensure engagement artifacts are not left behind after the engagement completes.
When done, click the “Create Implant” button at the bottom of the window.
Download a Payload
Right-click on the implant you want to generate a payload for, then navigate down to PowerShell > Command.
Run the Payload
Copy and paste the contents of the payload.txt file into a command prompt.
Observe Callback in Sessions Page
You should get a pop-up notification in the bottom, right-hand corner of the screen indicating a successful registration. You should see the new Specter session in the Sessions page.
To interact with the session, right-click and select Interact or double click the row you’re interested in.
