DanderSpritz: A case study in Nation State Post-Exploitation Framework Capabilities & Defense Strategies

please so thank you besides the city and server for this fantastic space this is one of the best pieces that I've ever seen for a defense conference several states will go ahead and just this talk is about districts which was the least post exploitation framework from the vision group otherwise known as these guests but we'll be covering some of the capabilities in that framework and then how we can actually potentially detect against it let's garden it started with a little bit about I am somebody in is Francisco in there so I currently run in a services architecture team your needs so I'm a manager and twelve architects which view but before that I was an

architect and another gated service provider also the security engineer consultant and my different for my career was being a security analyst so to give you guys a bit of background regarding rare at this paper around this time last year April or so the shadow brokers leaked a bunch of information in its title of lost in translation and lost in translation included a bunch of information about Swift talking operation against the Middle Eastern as well as a bunch of Windows tools and things like that and most energy but a full fully functional per second petition framework was included as well and nobody really was looking into that so I decided my drivers kind of for looking into this is

you know every time they read their reports or subjective out of reach organizations are saying that it was an EPT it was a very persistent adversary and like 99% of the time is not but I wanted to see really what an adversary who have the same abilities and tools you saw from their perspectives so often if maybe you're reading a little bit about nation-state happy from the other side of it for researchers who have found just a little bit of artifacts that have reversed the tools and understand how they worked but there's never been a full week like this survivors who decided to dig into it also I would encourage others all over the country in the world to start

looking into this world and reversing there were literally gigs of data on a bunch of dl that house a bunch of things that were included in this presentation framework and most so this has worked future companies the universities started looking into this point and then finally I wonder the technical side projects like I mentioned under manager now and you know when I was a security analyst which was my favorite part of my career my days sort of looked a lot like this you know when I have to play around it's really deep cool technical stuff and then as my career progressed sorry thank you so that's my career progressed my day really started looking like this and

because I work for both I started looking like this and then I can bucks started looking like this so you know to kind of keep my technical energy I wanted to start really looking at some technical things again so I could hang out with my friends and not be ashamed of how nerdy head through the end so cover a news talk today is this framework and some other frameworks that were actually included in that leak some information about the tradecraft and capabilities about this attacker so nation-state attackers super interesting some methods that appreciate food actually maintain news and persistence and gets persistence on the machine and then there was like reconnaissance lateral movements did exfiltration and

we'll wrap this up with information about the strategies in in general so before we kind of roll into exactly the capabilities of estándares for spring or class let's cover bit of the history of the frameworks so using a lot of the metadata in these files that were leaked that was able to piece together some of the history of what desecrations who have developed the team built over the years and what we see is that there's actually a post exploitation framework that started meeting developed around 2001 colleagues meaningfully which is also in this week around 2005 is when we start seeing the very giving their developments of their districts and then 2011 is when we see that rewrite a lot

of the plugins and things which I'll cover in Python so first of all expediently again 2011 I just want to thank you leaving some information about dates and other things in the files but make it really easy for me to determine this but expanding and the very first version of this place exploitation framework and it actually used a custom scripting language so the framework itself was written in C it's big movie but plugins and capabilities were bringing intestine with the scripting language that's called ETS extended police prayer to sort of a weird mixture of Perl and other languages but it's definitely custom and interesting to read this is what expanding fully looked like again it's available it's visible so it's just

kind of a chameleon with a very limited GUI off to the side that tells you work your hands you're running on a specific target duration then in 2005 is when we first start seeing game this place which is again the framework that were covering now and at first they started using DSS they gave their expense which brought in a few more useful things like functions that you can import from other libraries and things like that but still told the customer 2011 for some reason they actually started just blending all of these scripts and redirected multiply 5 so they were at the moment and [Applause] superelevation and what's happening how they leverage a lot of these plugins and

some of the things that they do all right so give it to actual post exploitation so we did this tool this leaked planet lost in translation link it's included everything that you need to go from nothing to focus exploitation and the way that that works at a very high level is there's this fuzz punch tool which is essentially the most versatile a pity group's version of Metasploit it literally lets you like test what a machine is vulnerable to recommends and exploits lets you learn chips and once you actually launch that exploit it uses double pulsar which is an in-memory backdoor and this this end motive that door has extremely elegant there's been a lot of groups that I've dug into how

it works and I highly recommend you look into it can probably fill up the 30-minute sovereigntist elegance but in every factor can be configured to run light load or low dynamic library which is quite an executable so double pulsar has been configured with an implant which is really just a malicious code that's responsible for communicating with that listening post which is dangerous precedent offenses really let C&C server epidemic control server as well as the exploitation in tweak it so we go from nothing to exploit memory back door and then focus exploitation framework a few terms that I'm going to use during this top just to give you guys a content target is really just the attacks

computer so anytime a reference targets expedition ecologist took the machine that are attacking in this place dick LT is listening-posts really just increasingly targeted for a CNC server so if she was actually responsible for sending commands to the hatch machine command is something that you're running from the target committee like things that were perfect a PSP is a personal security product were charging for a baby is really what they call AV systems and finally safety Hitler is something that prevents the operator from messing it up which will cover any one test so what exactly is Davis press well first of all data spritz is really perfect cool I really recommend that you guys play around with this please don't do

anything done with it don't play media if you get in trouble but it's a really cool framework just truly incredible and as I come to this I'd like to remind you that all of these things the tools that are recovering the capabilities were from 2013 and based on my testing test last week they're still mostly undetectable by into the next chance of any virus so from 2013 now still are detectable kids imagine so difference is a full functional exploitation former soul functional post exploitation friendly and I'm talking about from the very first time you get onto a machine to full lateral movement week on Digg exfiltration air and clean up it's all included in that program and

available unintentionally open sourced the framework is actually within Java so kind of like the framework that wraps it all together is written in Java which sort of sucks but it's easy to be compiler and it's extremely modular so actually adding the module of plug-in or capability to this is super easy requires us to Python scripts of XML and you've got logical that any operator and those plugins those modules are features actually just work in Python or that custom scripting language that I covered earlier so super easy to read under to be able to do and then built your own and this framework is completely designed for stuff so every step of the way the framework is making sure that

the operator is not doing something or custom automated scripts are not doing something that's going to get them cocked so a lot of operational security is free and finally it's designed to prevent dumb operators from really messing it up and we'll cover what that means in a big so even it has an operator you try supposed to do something really loud and really down no great news from doing it because it's again designer stuff so let's talk about the dangers which caused an operation an operation really is just a repository for danger spritz to store our session data and session information about everything that happened during a hacking operation and when I've been everything I mean

literally everything like it every command that you learn of a machine the output what happened all that stuff is held in this repository which can later be used to generate some additional information additionally Davis prints requires that every operation use a separate public/private key pair so from a network perspective all of this traffic to decrypt it was a unique public/private key pair that you're you're not going to be able to any place so really this framework all the CNC communication is all encrypted in a way that you won't be able to tolerance doing and again for operation the splits can actually correlate data from targets across the same operation so if you see something on one machine break into

another level to another go correlate that data for you and then to register safety members across an entire operation so the city paper that says don't do X because you have their clock is identified on one machine you can just talk to you this clicks register that across the entire operation because I knew that this entire organization is setting up the same way the same security controls operations can actually be replayed for what I assume is for training so as I mentioned Danvers princess logging everything that you do and every command clicks and then can replay it so built into this tool and in this leap there's a tool that just lets you replay that

operation which I assume is for training and then finally as part of their operational methodology the equation recommends it looks like operators writes a letter club ops notes along the way as we're moving forward through this hacking operation and if the top notes are formatted correctly it can actually be used to generate text Sundays which when some things goes wrong in the operation and these tools need to be updated for some reason so the wording generates a text somebody there could be sensors or someone else to say hey no business so this is what danger spritz looks like today and well today is in 2013 but the company that we have this is what it looks like when you

first connect data actually does a bunch of information gathering automatically for you it causes script called survey duck py which is intended to gather a lot of information about the lay of the land and puke the operator information about what's going on with that machine by tilted okay operating system information network information now two drives currently running processes drivers are elevated or could be loaded in stop software and software keys for some reason I don't know like to beat that but can grab those as well any services machine joon-suk PSPs nav systems persistence so Danika technical actually looks for tobogganing malware that has established persistence on my machine and tell you pay something malicious is

on here it's not another nation state but just you know persistence be careful no audit convictions of walking if you have learning with a local police I love being able to tell the operator exactly who's being locked scheduled tasks and other common persons but recently modified files USB devices and then they also have their own test aversion TB tests that will dump passwords if Dennis believes that it's safe to do so and we'll talk about how that capitalism of it so the Suri script takes a long time to run that way every time you can actually speak either of this but it really gives the operator a lay of the land and also built a database under

that operation so that the intersperse knows what exactly is happened in the tell it should behave and use all of its other tools so let's talk a little bit about Sri in fact and the tree graph for me is some of the most interesting parts of this because even though this tool set was leaked they're obviously going through a rebuilding is too sad but their tradecraft is gonna remain the same you know that's something that's very difficult for nation-states or any happy key to change so first things first when you connect to a machine that service enterprise it also runs another tool called territorial dispute which is actually specially designed to look for other adverse emulation states which

have been or may still be connected to that machine so the way that works is that there's this signatures that py6 left in my file there's not 31 of these specifically but it's looking for you can cross correlate known other 80 PS so aggression into these Chinese 18 things that immediately tells the operator hey this other packing teeth the southern nation state is on this machine so very interesting and actually a team at the Budapest University of Technology and Congress put together a really good talk for the Kaspersky security analyst summit just on territorial dispute alone and they were able to go through this six WI file and correlate all the different nation states and ATT teams

that they were looking for so I would highly recommend you watch that talk as well cool so even though I mentioned that this is a full-blown post exploitation framework and that's true what's interesting is that included in this framework there's actually a full forensics kit so if the operator needs to do forensics on the machine for whatever reason maybe they've found an ATT that they haven't seen yet they can grab a lot of forensic information from the machine automatically victim expand memory and processes and can identify injected threats by looking for a dynamic library that's loaded into memory but it's not written to disk so very common forensics technique now built into this framework for 2013 it

can also parse file so