DanderSpritz Docs

Documentation about the Equation Group's DanderSpritz post-exploitation framework

View project on GitHub

Home

DanderSpirtz Persistence Methods

This content is still under construction

DanderSpritz has several tools built into get persistence for tools (such as keyloggers) and implants (such as PeddleCheap). In this page, we will cover the types of persistence capabilities that exist within the tool and how to leverage them.

Implant Persistence

Using the pc_prep command, the operator can begin persistently installing a configured PeddleCheap payload on the target machine. The PeddleCheap installer will prompt the operator for several pieces of information including:

  • Should PeddleCheap listen or callback?
  • Should PeddleCheap only listen or call back at specific times
  • Should PeddheCheap use the standard listening or callback ports
  • Which private / public keypair should be used for C&C communication
  • Should PeddleCheap enable it’s “quick deletion” functionality

PeddleCheap persistence methods

AppCompat

WinSockHelper

KillSuit

KillSuit

KillSuit Persistence Methods

Driver

SolarTime (SOTI)

JustVisiting (JUVI)


DanderSpritz_docs is maintained by francisck.

This page was generated by GitHub Pages.