- #EASYBEE EXPLOIT INSTALL#
- #EASYBEE EXPLOIT SOFTWARE#
- #EASYBEE EXPLOIT PC#
- #EASYBEE EXPLOIT WINDOWS#
EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit.It can duplicate tokens (Kerberos tokens?) and "remote execute commands" as well as logon as users (based on files in ZBng/Commands/CommandLine) ZBng ZippyBang Looking at this quickly, it appears to be the NSA's version of Mimikatz.
#EASYBEE EXPLOIT INSTALL#
Utbu UtilityBurst Appears to be a mechanism for persistence via a driver install unsure (based on UtBu/Scripts/Include/_UtilityBurstFunctions.dsi). Appears to be used to identify other nation states also #EASYBEE EXPLOIT SOFTWARE#
TeDi TerritorialDispute A plugin used to determine what other (malicious) software may be persistently installed (based on TeDi/PyScripts/sigs.py). Tasking N/A Handles the collection "tasks" that DanderSpritz has requested on the same (collection of windows, network data, etc). StLa Strangeland Keylogger (based on StLa/Tools/i386-winnt/strangeland.xsl). ScRe ? Interacts with SQL databases (based on ScRe/Commands/CommandLine/Sql_Command.xml). Python N/A Python Libraries / resources being used. Pc2.2 PeddleCheap Resources for PeddleCheap including different DLLs / configs to call back to the C2. #EASYBEE EXPLOIT PC#
Pc PeddleCheap The main implant (loaded via DoublePulsar) that performs all of these actions and communciates with the C2 (DanderSpirtz). PaCU PaperCut Allows you to perform operations on file handles opened by other processes. Pfree Passfreely Oracle implant that bypasses auth for oracle databases. includes tools to gather data from Chrome, Skype, Firefox (ripper) and gather information about the machine / environment (survey) Ops N/A Contains a lot of awesome tools and python / dss scripts used by DanderSpritz. Gui N/A Resources used by the DanderSpirtz GUI. GeZU GreaterSurgeon Appears to dump memory (based on GeZu/Commands/CommandLine/GeZu_KernelMemory_Command.xml). 
GaTh GangsterTheif Appears to parse data gathered by GreaterDoctor to identify other (malicious) software that may be installed persistently (based on GaTh/Commands/CommandLine/GrDo_ProcessScanner_Command.xml). GRcl ? Appears to dump memory from a specific process (based on GRcl/Commands/CommandLine/ProcessMemory_Command.xml). GROK ? Appears to be a keylogger (based on Ops/PyScripts/overseer/plugins/keylogger.py). GRDO GreaterDoctor Appears to parse / process from GreaterSurgeon (based on GRDO/Tools/i386/GreaterSurgeon_postProcess.py & analyzeMFT.py). FlAv FlewAvenue Appears related to DoormanGauze (based on FlAv/scripts/_FlewAvenue.txt). Ep ExpandingPulley Listening Post developed in 2001 and abandoned in 2008. They seem to be scripts run by DanderSpritz Dsz DanderSpritz Several DanderSpritz specific files such as command descriptions (in XML), and several scripts with DSS (Debug script interface?) / DSI extensions?. #EASYBEE EXPLOIT WINDOWS#
DmGZ DoormanGauze DoormanGauze is a kernel level network driver that appears to bypass the standard Windows TCP/IP stack. A lot of tools mention that doublefeature is the only way to confirm their existence Df DoubleFeature Generates a log & report about the types of tools that could be deployed on the target. DeMI DecibelMinute Appears to interact with KillSuit to install, configure, and uninstall it. Darkskyline DarkSkyline Contains tools to parse and filter traffic captured by DarkSkyline. DaPu DarkPulsar Appears to be a legacy implant, similar to PeddleCheap but older. 
Confirmed: Leaked Equation Group Hacking Tools Are Real.: Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak.I am not responsible if you choose to use my work or this documentation to do something dumb and/or illegal. Disclaimer: These links are intended to be used by information security researchers who are interested in understanding the capabilities of frameworks/data-sets used in real-life.
0 kommentar(er)
