DanderSpritz Docs

Documentation about the Equation Group's DanderSpritz post-exploitation framework

View project on GitHub

DanderSpritz documentation

The goal of this project is to document the different capabilities and functionality of the DanderSpirtz post-exploitation framework by examining the contents of the “resources” folder included in the ShadowBrokers leak and doing live testing of the framework on lab systems.

Note: This is a documentation project that does not contain all of the FuzzBunch code, exploits, binaries, etc. The repository only contains the files found in the Windows/Resources/ directory included in the leak.

If you’re interested in viewing the entire contents of the leak use this repo including the files and data necessary to use the framework, please use this repo:

EQGRP Lost in Translation.

Disclaimer: This project is intended to be used by information security researchers who are interested in understanding the capabilities of frameworks used by real-life nation state adversaries. I am not responsible if you choose to use my work or this documentation to do something dumb and illegal.

What is DanderSpritz?

DanderSpritz is a modular, stealthy, and fully functional framework for post-exploitation activities on Windows and Linux hosts. The framework contains tools to bypass anti-virus & security tools, disable and delete Windows event logs, establish persistence, perform local and network reconnaissance, move laterally within a network, and exfiltrate data.

DanderSpritz was leaked by The Shadow Brokers on April 14th, 2017 as part of the “Lost in Translation” leak.

Framework Documentation

Blog Posts

Presentation

A PDF of my presentation about DanderSpritz at Derbycon 7.0 is available here

A recording of my presentation about DanderSpritz at Derbycon 7.0 is coming soon