Francisco J Donoso, Randori Most research into the Shadow Brokers’ leaks of Equation Group tools has focused on the Equation Group's brilliant exploits, but very few researchers concentrated on the extremely effective post exploitation capabilities. This talk expands on my research into the Equation Group's post exploitation tools. My previous research focused on providing a general overview of DanderSpritz, a full-featured post-exploitation toolkit included in the ShadowBroker's "Lost in Translation" leak. This talk provides a deep dive into KillSuit which is the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration in unique and interesting ways. During the talk, we will dissect the capabilities and functionality of the KillSuit framework, a little-known (and somewhat overlooked) component of the much larger DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to quietly establish persistence on machines via bootkits and other persistence methods and then allows operators to install persistent modules such as keyloggers, packet capture tools, tools that perform WiFi MITM, and other more information gathering tools. KillSuit also includes support for many plugins that provide interesting ways to silently exfiltrate data - some specifically designed to make data exfiltration across air gapped networks possible - including custom written IPSEC-like protocols and misuse of "disabled" WIFI cards and nearby open networks.

1. KILLSUIT

2. • DEVOPS / SECURITY AT RANDORI
• ARCHITECT
• SECURITY ENGINEER
• CONSULTANT
• SECURITY ANALYST

4. • RESEARCHERS FOCUSED ON EXPLOITS
• WANTED TO KNOW MORE ABOUT “APT” POST EXPLOITATION
• ENCOURAGE OTHERS TO RESEARCH & REVERSE
• THIS HAS WORKED (A LITTLE)!
• WANTED A TECHNICAL SIDE PROJECT

5. • BRIEF OVERVIEW OF DANDERSPRITZ
• QUICK HISTORY OF THE FRAMEWORK(S)
• GETTING TO POST-EXPLOITATION
• KILLSUIT
• PERSISTENCE
• EVASION
• DATA EXFIL
• QUANTUM SHOOTER – MAN ON THE SIDE
• DANDERSPRITZ LAB

6. • FREAKING COOL
• A FULLY FUNCTIONAL POST-EXPLOITATION FRAMEWORK
• WRITTEN IN JAVA 
• EXTREMELY MODULAR
• “PLUGINS” (FEATURES) WRITTEN IN PYTHON / CUSTOM SCRIPTING ☺
• DESIGNED FOR STEALTH
• DESIGNED TO PREVENT DUMB OPERATORS FROM MESSING IT UP

7. Expanding
Pully
DanderSpritz
DanderSpritz
script rewrite
2001 2005 2011

8. Expanding
Pully
DanderSpritz
DanderSpritz
script rewrite
2001
KillSuit
2008

14. • TARGET = ATTACKED COMPUTER(S)
• LP = LISTENING POST (C&C SERVER)
• COMMAND = SOMETHING RUNNING ON TARGET
• PSP = PERSONAL SECURITY PRODUCT (AV)
• SAFETY HANDLER = DON’T MESS IT UP
• IMPLANT = MALICIOUS CODE DEPLOYED ON TARGET

15. GETTING TO POST-EXPLOITATION
Fuzzbunch Exploit DouplePulsar PeddleCheap DanderSpritz

16. WHAT IS KILLSUIT?

20. • EXTREMELY MODULAR PERSISTENCE FRAMEWORK
• MULTIPLE SUPPORTED PERSISTENCE METHODS
• CAN LOAD SEVERAL DIFFERENT ”PLUGINS”
• ENCRYPTION FOR EVERYTHING

21. • INSTANCE = A SPECIFC INSTANCE OF KILLSUIT (MULTIPLE CAN BE
INSTALLED)
• TYPE = A SPECIFIC KISU INSTANCE INTENDED TO SUPPORT PERSISTENCE
FOR A COMPLEX IMPLANT
• LAUNCHER = THE DRIVER EXPLOITED TO RUN KERNEL MODE CODE
• MODULE = SPECIFIC IMPLANT / CODE THAT IS INTENDED TO BE
PERSISTENT
• MODULE STORE = ENCRYPTED VIRTUAL FILE SYSTEM

23. • MODIFIES VBR TO LOAD KERNEL DRIVER
• USES AN ENCRYPTED TRUETYPE FONT FILES AS “CONTAINERS” FOR
KERNEL DRIVER
• PATCHES WINLOAD.EXE & THE FIRST DRIVER LOADED DURING BOOT
TIME

25. • LAUNCHES A “KERNEL MODE ORCHESTRATOR” BY EXPLOITING A
“LAUNCHER” DRIVER
• PROVIDES ABILITY TO RUN *UNSIGNED* KERNEL MODE AND USER
MODE CODE
• BEGINS LAUNCHING IMPLANTS
• INJECTS MALICIOUS USER MODE CODE INTO PROCESSES

27. DEFENSE EVASION

28. • EVERYTHING ENCRYPTED WITH UNIQUE KEY PER TARGET
• VIRTUAL FILE SYSTEM STORED IN REGISTRY
• PROCESS INJECTION FOR USER MODE CODE
• TEMPORARILY CREATE FILES
• TIME STOMPING

30. • PROVIDES COVERT (NON-WINSOCK) NETWORK
ACCESS FOR TOOLS
• FLEWAVENUE = IPV4 DRIVER
• DOORMANGAUZE = IPV6 DRIVER

33. DATA GATHERING

34. • STEALTHY KEYLOGGERS
• PERSISTENCE USING KILLSUIT USING THE “STLA” INSTANCE TYPE
• STORES ENCRYPTED DATA IN VBNARM.DLL (CONFIGURABLE)

35. • FULLY FEATURED PACKET CAPTURE TOOL
• USES BERKLEY PACKET FILTER (BPF) FILTER FORMAT
• INSTALLED ONTO AN EXISTING KILLSUIT INSTANCE
• CAPTURED DATA STORED TO AN ENCRYPTED CONTAINER

37. • DANDERSPRITZ INCLUDES DRIVERS TO INTERACT WITH
SEVERAL DATABASES
• CAN BE INSTALLED PERSISTENTLY WITH KISU
• MSSQL, MYSQL, SQLITE, ORACLE

39. • WIFI MAN IN THE MIDDLE (MITM)
• USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (MABE)
• INSTALLS DRIVER WITH PACKET INJECTION CAPABILITIES

40. STEALTHY EXFIL

41. STRAITBIZARRE FRIEZERAMP

42. • STRAITBIZARRE = IMPLANT DESIGNED FOR STEALTHY DATA EXFIL
• FRIEZERAMP = CUSTOM NETWORK PROTOCOL
• PROVIDES COVERT & ENCRYPTED NETWORKING CAPABILITIES
• USES ”ADAPTERS” TO INSERT PACKETS INTO RELEVANT TRANSPORT LAYER
• SIMILAR TO IPSEC

44. • DATA EXFIL VIA UN-USED / DISABLED WIFI CARDS
• USED WHEN THE TARGET IS AIR GAPPED
• CAN USE STOLEN CREDENTIALS OR SEND VIA OPEN NETWORKS
• USES A SEPARATE KILLSUIT INSTANCE WITH IT’S OWN TYPE (SOKN)

45. QUANTUM SHOOTER

51. • STRAITBIZARRE SHOOTER REDIRECTS TO FOXACID EXPLOIT
SERVER
• EXPLOIT SERVER DEPLOYS “VALIDATOR”
• VALIDATOR CONFIRMS IF TARGET IS INTERESTING
• UPGRADE TO UNITED RAKE

52. STORY TIME

55. v 0x7a43e1fa in hex

60. •
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

61. DANDERSPRITZ LAB

62. • FULLY FUNCTIONAL DANDERSPRITZ LAB IN 2 COMMANDS
• PACKER BUILD DANDERSPRITZ_LAB.JSON
• VAGRANT UP

63. • BRIEF OVERVIEW OF DANDERSPRITZ
• FRAMEWORK HISTORY & OVERVIEW
• GETTING TO POST-EXPLOITATION
• SOLARTIME
• KILLSUIT MODULES
• QUANTUM SHOOTER – MAN ON THE SIDE
• DANDERSPRITZ LAB

64. DANDERSPRITZ.COM
@FRANCISCKRS
DANDERSPRITZ_DOCS
DANDERSPRITZ_LAB