Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DanderSpritz: How the Equation Group's 2013 too...

Francisco Donoso
September 22, 2017

DanderSpritz: How the Equation Group's 2013 tools still pwn in 2017

Everyone has focused on the Equation Group's "weapons grade" exploits but no one has focused on their extremely effective post exploitation capabilities.

In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scan, sampled, subdued, and successfully dominated an entire organization ninja-style.

We'll dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and causes general mayhem.

Francisco Donoso

September 22, 2017
Tweet

More Decks by Francisco Donoso

Other Decks in Research

Transcript

  1. • RUN AN ARCHITECTURE TEAM AT A SWISS SECURITY COMPANY

    • ARCHITECT • SECURITY ENGINEER • CONSULTANT • SECURITY ANALYST
  2. • RESEARCHERS FOCUSED ON EXPLOITS • WANTED TO KNOW MORE

    ABOUT “APT” POST EXPLOITATION • ENCOURAGE OTHERS TO RESEARCH & REVERSE • WANTED A TECHNICAL SIDE PROJECT
  3. • QUICK HISTORY OF THE FRAMEWORK(S) • GETTING TO POST-EXPLOITATION

    • INTRO TO DANDERSPRITZ • INFO COLLECTED ON CONNECTION • TRADECRAFT • PERSISTENCE • RECON • LATERAL MOVEMENT • DATA EXFIL
  4. • FREAKING COOL • A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK •

    WRITTEN IN JAVA L • EXTREMELY MODULAR • PLUGINS / FEATURES WRITTEN IN PYTHON / CUSTOM SCRIPTING J • DESIGNED FOR STEALTH • DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP
  5. • OP = OPERATION • TARGET = ATTACKED COMPUTER(S) •

    LP = LISTENING POST (C&C) • PLUGIN = FUNCTIONALITY • COMMAND = SOMETHING RUNNING ON TARGET • PSP = PERSONAL PROTECTION PRODUCT (AV) • SAFETY HANDLER = DON’T MESS IT UP
  6. • REPOSITORY FOR DANDERSPRITZ SESSION DATA ACROSS ALL TARGETS •

    UNIQUE PRIVATE / PUBLIC KEY PAIR PER OP • DANDERSPRITZ CORRELATES DATA ACROSS TARGETS IN SAME OP • SAFETY HANDLERS CAN BE REGISTERED PER OP (MORE ON THIS LATER) • OPS CAN BE REPLAYED - TRAINING? • PROPERLY FORMATTED OPS NOTES GENERATE “TECH SUMMARIES”
  7. • OPERATING SYSTEM INFO • NETWORK INFO • MOUNTED DRIVES

    • CURRENT PROCS • DRIVERS • INSTALLED SOFTWARE • SERVICES • PSPS • PERSISTENCE • AUDIT CONFIG • SCHEDULED TASKS • RECENTLY MODIFIED FILES • RECENT USB DEVICES • DUMPS PASSWORDS
  8. • GREATERDOCTOR • CAN SCAN MEMORY & PROCESSES • CAN

    PARSE FILES • CAN GRAB MEMORY FOR FORENSICS LATER • GANGSTERTHIEF • READS RAW MFT FOR ANALYSIS
  9. • PREVENT OPERATOR OR AUTOMATED SCRIPTS FROM PERFORMING CERTAIN ACTIONS

    • MEANT TO REDUCE POSSIBILITY OF DETECTION • LOTS OF DIFFERENT TYPES OF SAFETY HANDLERS
  10. • AUDIT • REGISTRYADD & QUERY • PROCESS INJECTION •

    MEMORY • NETWORK TRAFFIC • PREVENT DROPPING OF EXES • PREVENT DLL LOADS • …MORE
  11. • DON’T SLOW DOWN THE MACHINE • DON’T SEND OUT

    A TON OF NETWORK TRAFFIC • HAVE THINGS CHANGED SINCE YOU LAST VISITED • DID THEY GET SUSPICIOUS FOR SOME REASON? • TRY NOT TO DROP EXES • MAKE SURE THEY LOOK LEGIT • MATCH FILE TIMES WITH LEGIT EXES • ENCRYPT EVERYTHING • STAY ON A TARGET FOR AS LITTLE TIME AS POSSIBLE
  12. • CAN LISTEN • AT SPECIFIC TIMES • CAN REQUIRE

    PORT KNOCKING (YES REALLY...) • CAN CALL BACK • AT SPECIFIC TIMES • WORKS WITH A PROXY
  13. • EXTREMELY MODULAR • CAN LOAD SEVERAL DIFFERENT ”PLUGINS” •

    USED BY OTHER SYSTEMS SUCH AS KEYLOGGERS • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET
  14. • MODIFIES MBR TO LOAD KERNEL DRIVER • USES TRUETYPE

    FONT FILES AS “CONTAINERS” FOR DRIVER • DOESN’T WORK WITH BITLOCKER OR EFI
  15. • BROWSER DATA (IE, FF, CHROME) • RECENTLY PLAYED MEDIA

    • USB DEVICES • RECENTLY RUN COMMANDS • DNS CACHE • RECENT RDP SESSIONS • RECENTLY ACCESSED FILES • PUTTY / WINSCP CREDS • PERIODIC SCREENSHOTS • SHARES • PCAPS • KEYLOGGER DATA
  16. • LIST DBS • VIEW SCHEMAS • TOP 10 ROWS

    FROM TABLES • QUERY PLANS
  17. 1. USE CREDENTIALS GATHERED FROM RECON PHASE 2. MOUNT ADMIN

    SHARE & PUSH CONFIGURED PEDDLECHEAP EXE 3. SCHEDULE TASK TO RUN EXE 4. PROFIT
  18. 1. MOUNT ADMIN SHARE & PUSH CONFIGURED PEDDLECHEAP EXE 2.

    USE WMI REMOTE EXEC TO RUN EXE 3. PROFIT
  19. 1. USE “PACKETREDIRECT” COMMAND 2. CONFIGURE FUZZBUNCH WITH IMPLANTED TARGET

    AS A REDIRECTOR 3. SMB / NAMEPIPED TOUCH (TELLS YOU WHICH EXPLOIT TO USE) 4. EXPLOIT 5. DOUBLEPULSAR LOADS PEDDLECHEAP 6. PROFIT
  20. • INTRO TO DANDERSPRITZ & A LOOKED AT WHY IT’S

    SO DAMN COOL • BRIEF LOOK AT EQUATION GROUP TRADECRAFT • BRIEF LOOK AT PERSISTENCE METHODS • LOOK AT RECON CAPABILITIES • DATA EXFIL