Home
Welcome to the specula wiki!
Specula is a framework that allows for interactive operations of an implant that runs purely in the context of outlook. It works by setting a custom outlook homepage via registry keys that calls out to an interactive python web server. This web server serves custom patched vbscript files that will execute a command and return a string response.
This is not a completely new concept, other public tools have existed before that take advantage of the vbscript capability within outlook to perform attacks. We however feel this is the first framework that presents natural and easily extensible flows to use outlook as a true feature complete implant.
A playlist of tutorial videos can be found here: https://www.youtube.com/playlist?list=PLk-dPXV5k8SE_g2507i2Qsu-dj3nRnTgA
The developers can also be found on the TrustedSec discord in the Specula channel: https://discord.com/invite/trustedsec
python3
python3-pip
python3.x-venv (if you want to use venv)We have verified and tested with python3.9 up to python3.11. Python3.12 is currently not supported and will not work.
You can use IP addresses, but a recommendation is to use a DNS record. In this example we are going to use DNS. Start by pointing a DNS record towards your public IP of the server you will be using as a Specula server. Let us pretend that we created an A-record named demo.specula.com with the value of our public IP.
If you are planning to use SSL (Recommended) you will need to request the certificates. This guide shows how to do that with free let's encrypt certificates. We first need to install certbot:
apt install certbotNext you want to make sure that you have allowed inbound communication on port 80/443. Then we request a certificate using the example of demo.specula.com (change this to your environment):
certbot certonly --non-interactive --agree-tos --email <SOME EMAIL ADDRESS> --standalone --preferred-challenges http -d demo.specula.comThis will produce certificate files so note down the paths to them, since you will need to reference them when starting Specula for the first time. In our example we want to keep these lines:
/etc/letsencrypt/live/demo.specula.com/fullchain.pem
/etc/letsencrypt/live/demo.specula.com/privkey.pemThe path to fullchain.pem will be the input when Specula asks for the cert_file as part of the startup and the privkey.pem will be to the key_file.
First you should install a python virtual environment. You can of course install to the global package root, but this can cause issues that are later hard to diagnose.
If you're unfamiliar with python virtual environments and just want to know what to type a basic install would look like
python -m venv venv
source venv/bin/activate
pip install -r requirements.txtsudo python specula.pySince this is the first time you are starting Specula it will ask you for a variety of options, which will then be stored and used for future runs. The settings will be stored in a file called specConfig.ini. If you ever want to reset your settings and start over this file can be removed.
A video walkthrough of the installation (without SSL) can be seen here: https://www.youtube.com/watch?v=6gL4tyQwgb4&list=PLk-dPXV5k8SE_g2507i2Qsu-dj3nRnTgA&index=1
| Option | Default | Use |
|---|---|---|
| dns_name | N/A | Full address that the Specula homepage will call out to (in our example here it would be demo.specula.com) |
| pushover_api_token | NONE | if given when a new agent calls in a notification will be sent via pushover to the account with this token |
| pushover_app_api_token | NONE | if given when a new agent calls in a notification will be sent via pushover to the app with this token |
| end_date | None | If specified the server will stop providing tasks after this time |
| validate_url | /plugin/search/ | uri that the server will call out to a number of times to validate it should be accepted as an agent |
| base_path_agent_com | /css/ | Once an agent is authenticated what URI will it communicate with |
| base_payload_url | /<random 10 ascci / digit string> | Where the base uri for hosted secondary resources will go |
| time_format | %m/%d/%Y-%H:%M:%S | what is the format that timestamps should be written out in |
| initial_checkin_count | 5 | how many checkins does an agent need to make to the validate_url before it converts to a valid agent |
| redirect_false_agents | template | path to template file or uri to redirect to for non-authenticated agents |
| default_refresh_time | 15 | how long should the agent wait between checkins to the C2 |
| jitter | 30 | variance in callback check in time |
| specula_log_file | specula_log.txt | operational log file |
| operator_log_file | operator_log.txt | operator log file |
| server_header | Microsoft-IIS/8.5 | what does the server claim it is in the http headers |
| encryptionkey_registry_location | Software\Microsoft\Office" & Left(a.version,4) & "\Outlook\UserInfo | Where on the target does specula store its encryption key |
| encryptionkey_valuename | KEY | What is the name of the registry key we'll use |
| ssl | True if https starts for dns_name else False | Do we use ssl or not |
| cert_file | ./ssl/ssl-cert-snakeoil.pem | server cert |
| key_file | ./ssl/ssl-cert-snakeoil.key | server key |
| webserver_port | 443 if ssl else 80 | what port to listen for agents on |
| ip_blocklist | NONE | list of cidr addresses that we will reject outright |
Once started it is recommended to stop Specula and then create a tmux session. Split the tmux session in two so that you can have the server on the top screen and have a tail of the speculalog running on the bottom screen.
To hook an agent, all you need to do is to create the registry REG_SZ value of URL under HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox and add the value pointing to your validation url on the Specula server.
Based on our experience we have also found that a few settings is prefereable to add/adjust in order to avoid issues with ActiveX. To generate a full reg file with all the recommended settings you can from the root of the Specula menu run generatehooker and it will show you the reg file you can copy over to an Windows client with Outlook on and import it. For the registry key to take effect, you will need to stop Outlook if it is running and start it.
The agent should now show up in Specula and depending on setup, you will either need to approve it manually (if initial_checkin_count is set to 0) or you will have to wait until the necessary checkins have been reached before Specula will generate an encryption key and send back to the agent. On the Outlook side when everything is completed, it will change view from Inbox to Calendar. Once you change view back to Inbox you have a fully Specula agent running.