francisck / Danderspritz_docs
The goal of this project is to examine, reverse, and document the different modules available in the Equation Group's DanderSpritz post-exploitation framework leaked by the ShadowBrokers
Stars: ✭ 225
Programming Languages
python
139335 projects - #7 most used programming language
Labels
Projects that are alternatives of or similar to Danderspritz docs
Nuxt Memwatch
Quickly watch real-time memory stats of your nuxt app
Stars: ✭ 76 (-66.22%)
Mutual labels: leak
Linux.mirai
Leaked Linux.Mirai Source Code for Research/IoC Development Purposes
Stars: ✭ 466 (+107.11%)
Mutual labels: leak
Ail Framework
AIL framework - Analysis Information Leak framework
Stars: ✭ 1,091 (+384.89%)
Mutual labels: leak
Awesome Sec S3
A collection of awesome AWS S3 tools that collects and enumerates exposed S3 buckets
Stars: ✭ 76 (-66.22%)
Mutual labels: leak
Rxlifecycle
Rx binding of stock Android Activities & Fragment Lifecycle, avoiding memory leak
Stars: ✭ 131 (-41.78%)
Mutual labels: leak
Gg Shield
Detect secret in source code, scan your repo for leaks. Find secrets with GitGuardian and prevent leaked credentials. GitGuardian is an automated secrets detection & remediation service.
Stars: ✭ 708 (+214.67%)
Mutual labels: leak
H8mail
Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email
Stars: ✭ 2,163 (+861.33%)
Mutual labels: leak
AMLeaksFinder
A small tool for automatically detecting the [controller, view memory leak] in the project. 一款用于自动检测项目中【控制器内存泄漏,View 内存泄漏】的小工具,支持 ObjC,Swift。
Stars: ✭ 89 (-60.44%)
Mutual labels: leak
Oomdetector
OOMDetector is a memory monitoring component for iOS which provides you with OOM monitoring, memory allocation monitoring, memory leak detection and other functions.
Stars: ✭ 2,056 (+813.78%)
Mutual labels: leak
WebRTC-Leak-Prevent-Toggle
Toggle WebRTC leak prevention in Chromium browsers.
Stars: ✭ 16 (-92.89%)
Mutual labels: leak
Ghhdb Github Hacking Database
Github Hacking Database - My personal collection of Github Dorks to search for Confidential Information (Yes, it's a Github version of Google Dorks)
Stars: ✭ 92 (-59.11%)
Mutual labels: leak
Ail Framework
AIL framework - Analysis Information Leak framework
Stars: ✭ 191 (-15.11%)
Mutual labels: leak
Webrtc Leak Prevent
Prevent WebRTC leaks in Chromium browsers.
Stars: ✭ 182 (-19.11%)
Mutual labels: leak
DanderSpirtz documentation
The goal of this project is to document the different capabilities and functionality of the DanderSpirtz post-exploitation framework / application by examining the contents of the "resources" folder included in the ShadowBrokers leak and doing live testing of the system.
Note: This repository does not contain all of the FuzzBunch code, exploits, binaries, etc. The repository only contains the files found in the Windows/Resources/ directory included in the leak.
This repository alone is not enough to run DanderSpritz.
If you're interested in viewing the entire contents of the leak use this repo:
Python bytecode has been decompiled
The original ShadowBrokers leak had most of the python scripts compiled into optimized bytecode (.pyo). In order to make this reversing / documentation effort easier I've decompiled the code and uploaded the "raw" python code to this repository
The original python bytecode files have been left intact
Resource Codenames and capabilities
The sub-directories in the "Resources" directory contain different modules which are used by DanderSpirtz to provide capabilities such as packet capture, memory dumps, etc.
Below are the codenames that correspond to the different modules and the potential capabilities based on examining the python code, comments, XML, available "command" txt files
| Folder | Code Name | Description / Functionality |
|---|---|---|
| DSky | Darkskyline | PacketCapture tool |
| DaPu | DarkPulsar | Appears to be a legacy implant, similar to PeddleCheap but older |
| Darkskyline | DarkSkyline | Contains tools to parse and filter traffic captured by DarkSkyline |
| DeMI | DecibelMinute | Appears to interact with KillSuit to install, configure, and uninstall it |
| Df | DoubleFeature | Generates a log & report about the types of tools that could be deployed on the target. A lot of tools mention that doublefeature is the only way to confirm their existence |
| DmGZ | DoormanGauze | DoormanGauze is a kernel level network driver that appears to bypass the standard Windows TCP/IP stack |
| Dsz | DanderSpritz | Several DanderSpritz specific files such as command descriptions (in XML), and several scripts with DSS (Debug script interface?) / DSI extensions?. They seem to be scripts run by DanderSpritz |
| Ep | ExpandingPulley | Listening Post developed in 2001 and abandoned in 2008. Predecessor to DanderSpritz |
| ExternalLibraries | N/A | Well.. |
| FlAv | FlewAvenue | Appears related to DoormanGauze (based on FlAv/scripts/_FlewAvenue.txt) |
| GRDO | GreaterDoctor | Appears to parse / process from GreaterSurgeon (based on GRDO/Tools/i386/GreaterSurgeon_postProcess.py & analyzeMFT.py) |
| GROK | ?? | Appears to be a keylogger (based on Ops/PyScripts/overseer/plugins/keylogger.py) |
| GRcl | ?? | Appears to dump memory from a specific process (based on GRcl/Commands/CommandLine/ProcessMemory_Command.xml) |
| GaTh | GangsterTheif | Appears to parse data gathered by GreaterDoctor to identify other (malicious) software that may be installed persistently (based on GaTh/Commands/CommandLine/GrDo_ProcessScanner_Command.xml) |
| GeZU | GreaterSurgeon | Appears to dump memory (based on GeZu/Commands/CommandLine/GeZu_KernelMemory_Command.xml) |
| Gui | N/A | Resources used by the DanderSpirtz GUI |
| LegacyWindowsExploits | N/A | Well.. |
| Ops | N/A | Contains a lot of awesome tools and python / dss scripts used by DanderSpritz. Deserves a lot of investigation. includes tools to gather data from Chrome, Skype, Firefox (ripper) and gather information about the machine / environment (survey) |
| Pfree | Passfreely | Oracle implant that bypasses auth for oracle databases |
| PaCU | PaperCut | Allows you to perform operations on file handles opened by other processes |
| Pc | PeddleCheap | The main implant (loaded via DoublePulsar) that performs all of these actions and communciates with the C2 (DanderSpirtz) |
| Pc2.2 | PeddleCheap | Resources for PeddleCheap including different DLLs / configs to call back to the C2 |
| Python | N/A | Python Libraries / resources being used |
| ScRe | ?? | Interacts with SQL databases (based on ScRe/Commands/CommandLine/Sql_Command.xml) |
| StLa | Strangeland | Keylogger (based on StLa/Tools/i386-winnt/strangeland.xsl) |
| Tasking | N/A | Handles the collection "tasks" that DanderSpritz has requested on the same (collection of windows, network data, etc) |
| TeDi | TerritorialDispute | A plugin used to determine what other (malicious) software may be persistently installed (based on TeDi/PyScripts/sigs.py). Appears to be used to identify other nation states also |
| Utbu | UtilityBurst | Appears to be a mechanism for persistence via a driver install unsure (based on UtBu/Scripts/Include/_UtilityBurstFunctions.dsi) |
| ZBng | ZippyBang | Looking at this quickly, it appears to be the NSA's version of Mimikatz. It can duplicate tokens (Kerberos tokens?) and "remote execute commands" as well as logon as users (based on files in ZBng/Commands/CommandLine) |
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].