Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[THOTCON 9] DanderSpritz: How the Equation Grou...

Francisco Donoso
May 04, 2018
Technology
2
2.1k

[THOTCON 9] DanderSpritz: How the Equation Group's 2013 tools pwn in 2018

These slides were presenting at THOTCON 9 on May 4th, 2018.

Everyone has focused on the Equation Group's "weapons grade" exploits but no one has focused on their extremely effective post exploitation capabilities. In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scan, sampled, subdued, and successfully dominated an entire organization ninja-style. We'll dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and causes general mayhem.

Francisco Donoso

May 04, 2018
Tweet

More Decks by Francisco Donoso

See All by Francisco Donoso
Killsuit: The Equation Group's Swiss Army Knife for Persistence, Evasion, and Data Exfil
francisck
2
2.3k
DanderSpritz: How the Equation Group's 2013 tools still pwn in 2017
francisck
0
680

Other Decks in Technology

See All in Technology
複雑なState管理からの脱却
sansantech
PRO
1
140
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
270
SSMRunbook作成の勘所_20241120
koichiotomo
2
120
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
180
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
230
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
AGIについてChatGPTに聞いてみた
blueb
0
130
AIチャットボット開発への生成AI活用
ryomrt
0
170
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210

Featured

See All Featured
Building Adaptive Systems
keathley
38
2.3k
Writing Fast Ruby
sferik
627
61k
A better future with KSS
kneath
238
17k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
860
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Producing Creativity
orderedlist
PRO
341
39k
4 Signs Your Business is Dying
shpigford
180
21k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
A designer walks into a library…
pauljervisheath
203
24k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Building Applications with DynamoDB
mza
90
6.1k

Transcript

  1. DANDERSPRITZ

  2. • RUN AN ARCHITECTURE TEAM AT $SECURITY_COMPANY • ARCHITECT •

    SECURITY ENGINEER • CONSULTANT • SECURITY ANALYST
  3. None

  4. • RESEARCHERS FOCUSED ON EXPLOITS • WANTED TO KNOW MORE

    ABOUT “APT” POST EXPLOITATION • ENCOURAGE OTHERS TO RESEARCH & REVERSE • THIS WORKED (A LITTLE)! • WANTED A TECHNICAL SIDE PROJECT
  5. None
  6. None

  7. • QUICK HISTORY OF THE FRAMEWORK(S) • GETTING TO POST-EXPLOITATION

    • INTRO TO DANDERSPRITZ • INFO COLLECTED ON CONNECTION • TRADECRAFT • PERSISTENCE • RECON • LATERAL MOVEMENT • DATA EXFIL

  8. Expanding Pully DanderSpritz DanderSpritz script rewrite 2001 2005 2011

  9. None
  10. None
  11. None
  12. None

  13. • TARGET = ATTACKED COMPUTER(S) • LP = LISTENING POST

    (C&C SERVER) • COMMAND = SOMETHING RUNNING ON TARGET • PSP = PERSONAL SECURITY PRODUCT (AV) • SAFETY HANDLER = DON’T MESS IT UP

  14. GETTING TO POST-EXPLOITATION Fuzzbunch Exploit DouplePulsar PeddleCheap DanderSpritz

  15. • FREAKING COOL • A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK •

    WRITTEN IN JAVA L • EXTREMELY MODULAR • “PLUGINS” (FEATURES) WRITTEN IN PYTHON / CUSTOM SCRIPTING J • DESIGNED FOR STEALTH • DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP
  16. None

  17. • REPOSITORY FOR DANDERSPRITZ SESSION DATA ACROSS ALL TARGETS •

    UNIQUE PRIVATE / PUBLIC KEY PAIR PER OP • DANDERSPRITZ CORRELATES DATA ACROSS TARGETS IN SAME OP • SAFETY HANDLERS CAN BE REGISTERED PER OP (MORE ON THIS LATER) • OPS CAN BE REPLAYED - TRAINING? • PROPERLY FORMATTED OPS NOTES GENERATE “TECH SUMMARIES”
  18. None

  19. • OPERATING SYSTEM INFO • NETWORK INFO • MOUNTED DRIVES

    • CURRENT PROCS • DRIVERS • INSTALLED SOFTWARE • SERVICES • PSPS • PERSISTENCE • AUDIT CONFIG • SCHEDULED TASKS • RECENTLY MODIFIED FILES • RECENT USB DEVICES • DUMPS PASSWORDS
  20. None
  21. None
  22. None
  23. None

  24. • GREATERDOCTOR • CAN SCAN MEMORY & PROCESSES • CAN

    PARSE FILES • CAN GRAB MEMORY FOR FORENSICS LATER • CAN BE USED AGAINST DANDERSPRITZ ;) • GANGSTERTHIEF • READS RAW MFT FOR ANALYSIS
  25. None
  26. None
  27. None

  28. BYPASS AV & LOGGING LIKE A PRO

  29. None
  30. None
  31. None
  32. None
  33. None

  34. • PREVENT OPERATOR OR AUTOMATED SCRIPTS FROM PERFORMING CERTAIN ACTIONS

    • MEANT TO REDUCE POSSIBILITY OF DETECTION • LOTS OF DIFFERENT TYPES OF SAFETY HANDLERS

  35. • AUDIT • REGISTRYADD & QUERY • PROCESS INJECTION •

    MEMORY • NETWORK TRAFFIC • PREVENT DROPPING OF EXES • PREVENT DLL LOADS • …MORE
  36. None
  37. None
  38. None
  39. None

  40. OH YOU GOT LOGGING? THAT’S CUTE

  41. None
  42. None
  43. None
  44. None

  45. “ ” DON’T BE AN IDIOT NATION STATE HACKING 101

  46. • DON’T SLOW DOWN THE MACHINE • DON’T SEND OUT

    A TON OF NETWORK TRAFFIC • HAVE THINGS CHANGED SINCE YOU LAST VISITED • DID THEY GET SUSPICIOUS FOR SOME REASON? • TRY NOT TO DROP EXES • MAKE SURE THEY LOOK LEGIT • MATCH FILE TIMES WITH LEGIT EXES • ENCRYPT EVERYTHING • STAY ON A TARGET FOR AS LITTLE TIME AS POSSIBLE
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None
  53. None

  54. • CAN LISTEN • AT SPECIFIC TIMES • CAN REQUIRE

    PORT KNOCKING (YES REALLY...) • CAN CALL BACK • AT SPECIFIC TIMES • WORKS WITH A PROXY
  55. None

  56. • EXTREMELY MODULAR • CAN LOAD SEVERAL DIFFERENT ”PLUGINS” •

    USED BY A LOT OF DIFFERENT TOOLS (DATA EXFIL, CAPTURE, ETC) • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET HINT: PEOPLE SHOULD BE LOOKING HERE ;)
  57. None
  58. None

  59. • MODIFIES VBR TO LOAD KERNEL DRIVER • USES TRUETYPE

    FONT FILES AS “CONTAINERS” FOR KERNEL DRIVER • DOESN’T WORK WITH BITLOCKER OR EFI
  60. None
  61. None
  62. None

  63. • BROWSER DATA (IE, FF, CHROME) • RECENTLY PLAYED MEDIA

    • USB DEVICES • RECENTLY RUN COMMANDS • DNS CACHE • RECENT RDP SESSIONS • RECENTLY ACCESSED FILES • PUTTY / WINSCP CREDS • PERIODIC SCREENSHOTS • SHARES • PCAPS • KEYLOGGER DATA
  64. None

  65. • LIST DBS • VIEW SCHEMAS • TOP 10 ROWS

    FROM TABLES • QUERY PLANS
  66. None
  67. None
  68. None

  69. THANKS FOR THE HELP!

  70. None
  71. None
  72. None
  73. None
  74. None

  75. 1. USE CREDENTIALS GATHERED FROM RECON PHASE 2. MOUNT ADMIN

    SHARE & PUSH CONFIGURED PEDDLECHEAP EXE 3. SCHEDULE TASK TO RUN EXE 4. PROFIT

  76. 1. USE “PACKETREDIRECT” COMMAND 2. CONFIGURE FUZZBUNCH WITH IMPLANTED TARGET

    AS A REDIRECTOR 3. SMB / NAMEPIPED TOUCH (TELLS YOU WHICH EXPLOIT TO USE) 4. EXPLOIT 5. DOUBLEPULSAR LOADS PEDDLECHEAP 6. PROFIT
  77. None

  78. FRAMEWORK INCLUDES DRIVERS TO INTERACT WITH SEVERAL DATABASES LOADED REMOTELY

    TO TARGET MACHINE

  79. • IDENTIFY INTERESTING DOCUMENTS / SHAREPOINT SITES • USE “SHAREPOINT”

    COMMAND TO RECURSIVELY PULL FILES
  80. None
  81. None
  82. None
  83. None
  84. None
  85. None
  86. None
  87. None

  88. • Process Launches • Library Loads • Network Connections

  89. Windows Defender Exploit Guard

  90. • Block Office apps from creating executable content • Block

    Office apps from launching child process • Block Office apps from injecting into process • Block Win32 imports from macro code in Office • Block malicious JavaScript, VBScript, and PowerShell codes that have been obfuscated • Block JavaScript and VBScript from executing payload downloaded from internet
  91. None

  92. • INTRO TO DANDERSPRITZ & A LOOKED AT WHY IT’S

    SO DAMN COOL • BRIEF LOOK AT EQUATION GROUP TRADECRAFT • BRIEF LOOK AT PERSISTENCE METHODS • LOOK AT RECON CAPABILITIES • LATERAL MOVEMENT & DATA EXFIL • DEFENSE STRATEGIES

  93. DANDERSPRITZ.COM @FRANCISCKRS DANDERSPRITZ_DOCS