DanderSpritz: A case study in Nation State Post-Exploitation Framework Capabilities & Defense Strategies

No ratings

Presented at BSidesDenver 2018 by

Fancisco Donoso

A lot of organizations and independent researchers have dug into The ShadowBroker's leaks and the exploits within them. However, very little research has been done into the bulk of the leak: the post-exploitation tools and frameworks.In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scanned, sampled, subdued, and successfully dominated an entire organization ninja-style. I will dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and remains undetected by even the latest security tools.