DanderSpritz Docs

Documentation about the Equation Group's DanderSpritz post-exploitation framework

View project on GitHub

Home

DanderSpritz Terms & Code Names

The goal of this project is to document the different capabilities and functionality of the DanderSpirtz post-exploitation framework by examining the contents of the “resources” folder included in the ShadowBrokers leak and doing live testing of the framework on lab systems.

Note: This is a documentation project that does not contain all of the FuzzBunch code, exploits, binaries, etc. The repository only contains the files found in the Windows/Resources/ directory included in the leak.

If you’re interested in viewing the entire contents of the leak use this repo including the files and data necessary to use the framework, please use this repo:

EQGRP Lost in Translation.

Terms

Term Description
Target The machine to which DanderSpritz is connected
Operation A collection of target data. Targets from the same organization should be grouped into the same operation
Listening Post (LP) The command & control (C&C) server to which the target calls back or accepts connections from. The machine that is running DanderSpritz is the “LP”
Plugin Some functionality provided by either a command, a python script, or a “DSS” script
Command A task issued to the target via DanderSpritz
Personal Protection Product (PSP) Anti-virus or a security product running on the target machine
Safety Handler Designed to prevent certain actions or commands in order to avoid detection by PSPs, logging, or by the user

Code Names

Shortname Code Name Description
DSky Darkskyline PacketCapture tool
DaPu DarkPulsar Appears to be a legacy implant, similar to PeddleCheap but older
DeMI DecibelMinute Appears to interact with KillSuit to install, configure, and uninstall it
Df DoubleFeature Generates a log & report about the types of tools that could be deployed on the target. A lot of tools mention that doublefeature is the only way to confirm their existence
DmGZ DoormanGauze DoormanGauze is a kernel level network driver that appears to bypass the standard Windows TCP/IP stack
Dsz DanderSpritz Several DanderSpritz specific files such as command descriptions (in XML), and several scripts with DSS (Debug script interface?) / DSI extensions?. They seem to be scripts run by DanderSpritz
Ep ExpandingPulley Listening Post developed in 2001 and abandoned in 2008. Predecessor to DanderSpritz
FlAv FlewAvenue Appears related to DoormanGauze (based on FlAv/scripts/_FlewAvenue.txt)
GRDO GreaterDoctor Appears to parse / process from GreaterSurgeon (based on GRDO/Tools/i386/GreaterSurgeon_postProcess.py & analyzeMFT.py)
GROK ?? Appears to be a keylogger (based on Ops/PyScripts/overseer/plugins/keylogger.py)
GRcl ?? Appears to dump memory from a specific process (based on GRcl/Commands/CommandLine/ProcessMemory_Command.xml)
GaTh GangsterTheif Appears to parse data gathered by GreaterDoctor to identify other (malicious) software that may be installed persistently (based on GaTh/Commands/CommandLine/GrDo_ProcessScanner_Command.xml)
GeZU GreaterSurgeon Appears to dump memory (based on GeZu/Commands/CommandLine/GeZu_KernelMemory_Command.xml)
Pfree Passfreely Oracle implant that bypasses auth for oracle databases
PaCU PaperCut Allows you to perform operations on file handles opened by other processes
Pc PeddleCheap The main implant (loaded via DoublePulsar or another backdoor) that communicates with the C2 (DanderSpirtz) and performs actions
ScRe ?? Interacts with SQL databases (based on ScRe/Commands/CommandLine/Sql_Command.xml)
StLa Strangeland Keylogger (based on StLa/Tools/i386-winnt/strangeland.xsl)
TeDi TerritorialDispute - Looks like it’s a script to determine what other (malicious) software may be persistently installed (based on TeDi/PyScripts/sigs.py)
Utbu UtilityBurst Appears to be a mechanism for persistence via a driver install unsure (based on UtBu/Scripts/Include/_UtilityBurstFunctions.dsi)
ZBng ZippyBang Looking at this quickly, it appears to be the NSA’s version of Mimikatz. It can duplicate tokens (Kerberos tokens?) and “remote execute commands” as well as logon as users (based on files in ZBng/Commands/CommandLine)

DanderSpritz_docs is maintained by francisck.

This page was generated by GitHub Pages.