Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DanderSpritz: How the Equation Group's 2013 tools still pwn in 2017

Francisco Donoso
September 22, 2017
Research
0
620

DanderSpritz: How the Equation Group's 2013 tools still pwn in 2017

Everyone has focused on the Equation Group's "weapons grade" exploits but no one has focused on their extremely effective post exploitation capabilities.

In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scan, sampled, subdued, and successfully dominated an entire organization ninja-style.

We'll dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and causes general mayhem.

Francisco Donoso

September 22, 2017
Tweet

More Decks by Francisco Donoso

See All by Francisco Donoso
Killsuit: The Equation Group's Swiss Army Knife for Persistence, Evasion, and Data Exfil
francisck
2
2.2k
[THOTCON 9] DanderSpritz: How the Equation Group's 2013 tools pwn in 2018
francisck
2
2k

Other Decks in Research

See All in Research
音声処理ツールキットESPnetの現在と未来
kanbayashi1125
2
540
オープンな日本語埋め込みモデルの選択肢 / Exploring Publicly Available Japanese Embedding Models
nttcom
14
5.5k
論文紹介 DSRNet: Single Image Reflection Separation via Component Synergy (ICCV 2023)
tattaka
0
180
Ground Metric Learning with applications in genomics
gpeyre
0
360
[Human-AI Decision Making勉強会] 説明の更新はユーザにどのような影響をもたらすか
okoso
1
180
AIを前提とした体験の実現に向けて/toward_ai_based_experiences
monochromegane
1
240
The Theory behind Vector DB
matsui_528
0
1.6k
Webスケールデータセットに対する実用的なポイズニング手法 / Poisoning Web-Scale Training Datasets is Practical
nttcom
0
120
SANER 2019 Most Influential Paper Talk
tsantalis
0
120
Deep State Space Models 101 / Mamba
kurita
9
3.5k
ニフティのインナーソース導入事例 - InnerSource Commons #11
niftycorp
PRO
0
260
時系列解析と疫学
kingqwert
2
930

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
237
11k
Building Your Own Lightsaber
phodgson
99
5.7k
Teambox: Starting and Learning
jrom
128
8.4k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Done Done
chrislema
178
15k
Web Components: a chance to create the future
zenorocha
305
41k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
How to Ace a Technical Interview
jacobian
272
22k
Agile that works and the tools we love
rasmusluckow
325
20k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k

Transcript

  1. DANDERSPRITZ HOW THE EQUATION GROUP'S 2013 TOOLS PWN IN 2017

    DERBYCON 7.0

  2. • RUN AN ARCHITECTURE TEAM AT A SWISS SECURITY COMPANY

    • ARCHITECT • SECURITY ENGINEER • CONSULTANT • SECURITY ANALYST
  3. None

  4. • RESEARCHERS FOCUSED ON EXPLOITS • WANTED TO KNOW MORE

    ABOUT “APT” POST EXPLOITATION • ENCOURAGE OTHERS TO RESEARCH & REVERSE • WANTED A TECHNICAL SIDE PROJECT
  5. None
  6. None

  7. • QUICK HISTORY OF THE FRAMEWORK(S) • GETTING TO POST-EXPLOITATION

    • INTRO TO DANDERSPRITZ • INFO COLLECTED ON CONNECTION • TRADECRAFT • PERSISTENCE • RECON • LATERAL MOVEMENT • DATA EXFIL

  8. Expanding Pully DanderSpritz DanderSpritz script rewrite 2001 2005 2011

  9. None
  10. None
  11. None
  12. None
  13. None

  14. GETTING TO POST-EXPLOITATION Fuzzbunch Exploit DouplePulsar PeddleCheap DanderSpritz

  15. • FREAKING COOL • A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK •

    WRITTEN IN JAVA L • EXTREMELY MODULAR • PLUGINS / FEATURES WRITTEN IN PYTHON / CUSTOM SCRIPTING J • DESIGNED FOR STEALTH • DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP

  16. • OP = OPERATION • TARGET = ATTACKED COMPUTER(S) •

    LP = LISTENING POST (C&C) • PLUGIN = FUNCTIONALITY • COMMAND = SOMETHING RUNNING ON TARGET • PSP = PERSONAL PROTECTION PRODUCT (AV) • SAFETY HANDLER = DON’T MESS IT UP
  17. None

  18. • REPOSITORY FOR DANDERSPRITZ SESSION DATA ACROSS ALL TARGETS •

    UNIQUE PRIVATE / PUBLIC KEY PAIR PER OP • DANDERSPRITZ CORRELATES DATA ACROSS TARGETS IN SAME OP • SAFETY HANDLERS CAN BE REGISTERED PER OP (MORE ON THIS LATER) • OPS CAN BE REPLAYED - TRAINING? • PROPERLY FORMATTED OPS NOTES GENERATE “TECH SUMMARIES”

  19. • OPERATING SYSTEM INFO • NETWORK INFO • MOUNTED DRIVES

    • CURRENT PROCS • DRIVERS • INSTALLED SOFTWARE • SERVICES • PSPS • PERSISTENCE • AUDIT CONFIG • SCHEDULED TASKS • RECENTLY MODIFIED FILES • RECENT USB DEVICES • DUMPS PASSWORDS
  20. None
  21. None
  22. None

  23. • GREATERDOCTOR • CAN SCAN MEMORY & PROCESSES • CAN

    PARSE FILES • CAN GRAB MEMORY FOR FORENSICS LATER • GANGSTERTHIEF • READS RAW MFT FOR ANALYSIS
  24. None
  25. None
  26. None

  27. BYPASS AV & LOGGING LIKE A PRO

  28. None
  29. None
  30. None
  31. None
  32. None

  33. • PREVENT OPERATOR OR AUTOMATED SCRIPTS FROM PERFORMING CERTAIN ACTIONS

    • MEANT TO REDUCE POSSIBILITY OF DETECTION • LOTS OF DIFFERENT TYPES OF SAFETY HANDLERS

  34. • AUDIT • REGISTRYADD & QUERY • PROCESS INJECTION •

    MEMORY • NETWORK TRAFFIC • PREVENT DROPPING OF EXES • PREVENT DLL LOADS • …MORE
  35. None
  36. None
  37. None
  38. None

  39. OH YOU GOT LOGGING? THAT’S CUTE

  40. None
  41. None
  42. None

  43. “ ” DON’T BE AN IDIOT NATION STATE HACKING 101

  44. • DON’T SLOW DOWN THE MACHINE • DON’T SEND OUT

    A TON OF NETWORK TRAFFIC • HAVE THINGS CHANGED SINCE YOU LAST VISITED • DID THEY GET SUSPICIOUS FOR SOME REASON? • TRY NOT TO DROP EXES • MAKE SURE THEY LOOK LEGIT • MATCH FILE TIMES WITH LEGIT EXES • ENCRYPT EVERYTHING • STAY ON A TARGET FOR AS LITTLE TIME AS POSSIBLE
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None

  53. • CAN LISTEN • AT SPECIFIC TIMES • CAN REQUIRE

    PORT KNOCKING (YES REALLY...) • CAN CALL BACK • AT SPECIFIC TIMES • WORKS WITH A PROXY
  54. None

  55. • EXTREMELY MODULAR • CAN LOAD SEVERAL DIFFERENT ”PLUGINS” •

    USED BY OTHER SYSTEMS SUCH AS KEYLOGGERS • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET
  56. None
  57. None

  58. • MODIFIES MBR TO LOAD KERNEL DRIVER • USES TRUETYPE

    FONT FILES AS “CONTAINERS” FOR DRIVER • DOESN’T WORK WITH BITLOCKER OR EFI
  59. None
  60. None

  61. • BROWSER DATA (IE, FF, CHROME) • RECENTLY PLAYED MEDIA

    • USB DEVICES • RECENTLY RUN COMMANDS • DNS CACHE • RECENT RDP SESSIONS • RECENTLY ACCESSED FILES • PUTTY / WINSCP CREDS • PERIODIC SCREENSHOTS • SHARES • PCAPS • KEYLOGGER DATA
  62. None
  63. None

  64. • LIST DBS • VIEW SCHEMAS • TOP 10 ROWS

    FROM TABLES • QUERY PLANS
  65. None
  66. None
  67. None

  68. THANKS FOR THE HELP!

  69. None
  70. None
  71. None
  72. None
  73. None

  74. 1. USE CREDENTIALS GATHERED FROM RECON PHASE 2. MOUNT ADMIN

    SHARE & PUSH CONFIGURED PEDDLECHEAP EXE 3. SCHEDULE TASK TO RUN EXE 4. PROFIT

  75. 1. MOUNT ADMIN SHARE & PUSH CONFIGURED PEDDLECHEAP EXE 2.

    USE WMI REMOTE EXEC TO RUN EXE 3. PROFIT

  76. 1. GENERATE A PEDDLECHEAP IMPLANT TRIGGERED VIA WINSOCKHELPER 2. REBOOT

    MACHINE 3. PROFIT

  77. 1. USE “PACKETREDIRECT” COMMAND 2. CONFIGURE FUZZBUNCH WITH IMPLANTED TARGET

    AS A REDIRECTOR 3. SMB / NAMEPIPED TOUCH (TELLS YOU WHICH EXPLOIT TO USE) 4. EXPLOIT 5. DOUBLEPULSAR LOADS PEDDLECHEAP 6. PROFIT
  78. None

  79. FRAMEWORK INCLUDES DRIVERS TO INTERACT WITH SEVERAL DATABASES

  80. • IDENTIFY INTERESTING DOCUMENTS / SHAREPOINT SITES • USE “SHAREPOINT”

    COMMAND TO RECURSIVELY PULL FILES
  81. None
  82. None
  83. None

  84. • INTRO TO DANDERSPRITZ & A LOOKED AT WHY IT’S

    SO DAMN COOL • BRIEF LOOK AT EQUATION GROUP TRADECRAFT • BRIEF LOOK AT PERSISTENCE METHODS • LOOK AT RECON CAPABILITIES • DATA EXFIL

  85. DANDERSPRITZ.COM @FRANCISCKRS DANDERSPRITZ_DOCS