Killsuit: The Equation Group's Swiss Army knife for persistence, evasion, and data exfil

DerbyCon 8.0 - Evolution

Presented by: Francisco Donoso
Date: Sunday October 07, 2018
Time: 11:00 - 11:50
Location: Kentucky E
Track: Track 3

Most researchers have focused on the Equation Group's brilliant exploits but very few researchers have focused on their extremely effective post exploitation capabilities. During this talk, we will dissect the KillSuit framework, the Equation Group's Swiss Army Knife for persistence, information gathering, defense evasion, and data exfiltration. KillSuit is a little-known part of the DanderSpritz post-exploitation toolkit, leaked by the Shadow Brokers in April 2017. KillSuit is a full featured and versatile framework used by a variety of the Equation Group's tools and implants. KillSuit provides the ability to stealthily establish persistence on machines, install keyloggers, packet capture tools, perform WiFi MITM, and other more information gathering tools. Killsuit includes many interesting ways to silently exfiltrate data and intel - including custom written IPSEC-like protocols and misuse of ""disabled"" WIFI cards and near-by open networks.

Francisco Donoso

Francisco currently runs a Managed Security Service Architecture team for a large multi-national computer security company. His passion and hobby is researching and understanding Nation-State hacking capabilities and tools. He has been on the forefront of research into the Equation Group’s post-exploitation tools and capabilities since their release by the Shadow Brokers and has spoken about this research at Derbycon, Thotcon, and other conferences.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats