DanderSpritz Terms & Code Names
The goal of this project is to document the different capabilities and functionality of the DanderSpirtz post-exploitation framework by examining the contents of the “resources” folder included in the ShadowBrokers leak and doing live testing of the framework on lab systems.
Note: This is a documentation project that does not contain all of the FuzzBunch code, exploits, binaries, etc. The repository only contains the files found in the Windows/Resources/ directory included in the leak.
If you’re interested in viewing the entire contents of the leak use this repo including the files and data necessary to use the framework, please use this repo:
Terms
| Term | Description |
|---|---|
| Target | The machine to which DanderSpritz is connected |
| Operation | A collection of target data. Targets from the same organization should be grouped into the same operation |
| Listening Post (LP) | The command & control (C&C) server to which the target calls back or accepts connections from. The machine that is running DanderSpritz is the “LP” |
| Plugin | Some functionality provided by either a command, a python script, or a “DSS” script |
| Command | A task issued to the target via DanderSpritz |
| Personal Protection Product (PSP) | Anti-virus or a security product running on the target machine |
| Safety Handler | Designed to prevent certain actions or commands in order to avoid detection by PSPs, logging, or by the user |
Code Names
| Shortname | Code Name | Description |
|---|---|---|
| DSky | Darkskyline | PacketCapture tool |
| DaPu | DarkPulsar | Appears to be a legacy implant, similar to PeddleCheap but older |
| DeMI | DecibelMinute | Appears to interact with KillSuit to install, configure, and uninstall it |
| Df | DoubleFeature | Generates a log & report about the types of tools that could be deployed on the target. A lot of tools mention that doublefeature is the only way to confirm their existence |
| DmGZ | DoormanGauze | DoormanGauze is a kernel level network driver that appears to bypass the standard Windows TCP/IP stack |
| Dsz | DanderSpritz | Several DanderSpritz specific files such as command descriptions (in XML), and several scripts with DSS (Debug script interface?) / DSI extensions?. They seem to be scripts run by DanderSpritz |
| Ep | ExpandingPulley | Listening Post developed in 2001 and abandoned in 2008. Predecessor to DanderSpritz |
| FlAv | FlewAvenue | Appears related to DoormanGauze (based on FlAv/scripts/_FlewAvenue.txt) |
| GRDO | GreaterDoctor | Appears to parse / process from GreaterSurgeon (based on GRDO/Tools/i386/GreaterSurgeon_postProcess.py & analyzeMFT.py) |
| GROK | ?? | Appears to be a keylogger (based on Ops/PyScripts/overseer/plugins/keylogger.py) |
| GRcl | ?? | Appears to dump memory from a specific process (based on GRcl/Commands/CommandLine/ProcessMemory_Command.xml) |
| GaTh | GangsterTheif | Appears to parse data gathered by GreaterDoctor to identify other (malicious) software that may be installed persistently (based on GaTh/Commands/CommandLine/GrDo_ProcessScanner_Command.xml) |
| GeZU | GreaterSurgeon | Appears to dump memory (based on GeZu/Commands/CommandLine/GeZu_KernelMemory_Command.xml) |
| Pfree | Passfreely | Oracle implant that bypasses auth for oracle databases |
| PaCU | PaperCut | Allows you to perform operations on file handles opened by other processes |
| Pc | PeddleCheap | The main implant (loaded via DoublePulsar or another backdoor) that communicates with the C2 (DanderSpirtz) and performs actions |
| ScRe | ?? | Interacts with SQL databases (based on ScRe/Commands/CommandLine/Sql_Command.xml) |
| StLa | Strangeland | Keylogger (based on StLa/Tools/i386-winnt/strangeland.xsl) |
| TeDi | TerritorialDispute | - Looks like it’s a script to determine what other (malicious) software may be persistently installed (based on TeDi/PyScripts/sigs.py) |
| Utbu | UtilityBurst | Appears to be a mechanism for persistence via a driver install unsure (based on UtBu/Scripts/Include/_UtilityBurstFunctions.dsi) |
| ZBng | ZippyBang | Looking at this quickly, it appears to be the NSA’s version of Mimikatz. It can duplicate tokens (Kerberos tokens?) and “remote execute commands” as well as logon as users (based on files in ZBng/Commands/CommandLine) |
DanderSpritz_docs is maintained by francisck.
This page was generated by GitHub Pages.