Curated list of links describing the leaked Equation Group tools for Windows

EQgroup.md

Links describing the leaked EQ Group tools for Windows

Repositories and ports

• Lost in Translation - A repository of the leaked tools

• MS17-010 - Port of some of the exploits to Windows 10

Installation and usage guides

• INSTALL.md - Notes on how to install and use the tools

• Equation Group Dump Analysis and Full RCE on Win7 on MS17-010 with Cobalt Strike - Notes on how to use EternalBlue and DoublePulsar

• Powershell Empire and FuzzBunch: exploitation of the sensational vulnerability ETERNALBLUE - How to install PowerShell Empire and FuzzBunch under WINE on Linux and how to use the EternalBlue and DoublePulsar payloads from Empire

• HOW TO EXPLOIT ETERNALBLUE & DOUBLEPULSAR TO GET AN EMPIRE/METERPRETER SESSION ON WINDOWS 7/2008 (PDF) - How to install and set up FuzzBunch and how to use EternalBlue and DoublePulsar from it and from PowerShell Empire

• HOW TO EXPLOIT ETERNALROMANCE/SYNERGY TO GET A METERPRETER SESSION ON WINDOWS SERVER 2016 (PDF) - How to use the Metasploit modules for EternalRomance and EternalSynergy to get a Meterpreter session

• Data analysis of the Shadow Brokers leak - A general description of what the package of tools contains

• How to: Install Fuzzbunch & DanderSpritz? - How to install FuzzBunch and DanderSpritz

• A peek view in the Equation Group toolbox - How to use the tools from FuzzBunch and DanderSpritz frameworks

General analysis

• Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security - Behavior of EtenralBlue and EternalRomance on Windows 10

• Hunting the hunter, finding bugs in NSA tools - Description of some bugs in the tools

Analysis of EternalBlue and DoublePulsar

• Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation - Use of EternalBlue and DoublePulsar in the WannaCry worm

• The Wannacry and NotPetya bug - CVE-2017-0144 SMB Remote Execution RCE - Use of EternalBlue in the WannaCry and Petya worms

• ETERNALBLUE: Exploit Analysis and Port to Microsoft Windows 10 - Port of EternalBlue to Windows 10

• Memory analysis of Eternalblue - Another analysis of EternalBlue

• EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver - Another analysis of EternalBlue

• Shadow Brokers: exploiting Eternalblue + Doublepulsar - Analysis of EternalBlue and DoublePulsar

• DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis - Analysis of the shellcode that installs the DoublePulsar backdoor

• EternalBlue – Everything there is to know - A very complete explanation how exactly the EternalBlue exploit works

• EternalBlue: a prominent threat actor of 2017–2018 - Excellent description of how EternalBlue works, with short descriptions of some of the other tools and exploits (DoublePulsar, FuzzBunch, EternalRomance, EmeraldThread, ErraticGopher, EskimoRoll, EducatedScholar, EternalSynergy, EclipsedWing, EnglishmanDentist, EsteemAudit, ExplodingCan)

• Patching DoublePulsar to Exploit Windows Embedded Machines - How to modify a single byte of the Metasploit implementation of DoublePulsar, in order to make it capable of infecting Windows Embedded machines

Analysis of the other tools in the package

• Eternalromance: Exploiting Windows Server 2003 - Analysis of EternalRomance

• Eternal Champion Exploit Analysis - Analysis of EternalChampion

• A Quick Analysis of Microsoft's ESTEEMAUDIT Patch - Analysis of EsteemAudit

• A Dissection of the “EsteemAudit” Windows Remote Desktop Exploit - Another analysis of EsteemAudit

• A quick look at the NSA exploits & Dander Spiritz trojan - Analysis of DanderSpritz

• The Equation Group’s post-exploitation tools (DanderSpritz and more) Part 1 - Another analysis of DanderSpritz

• EnglishmansDentist Exploit Analysis - Analysis of EnglishmanDentist

• Eternal Synergy Exploit Analysis - Analysis of EternalSynergy

• Analysis of the Shadowbrokers Envisoncollision Exploit - Analysis of the EnvisonCollision exploit

• ExplodingCan - Python implementation of the ExplodingCan exploit

• DanderSpritz/PeddleCheap Traffic Analysis (PDF file) - Analysis of the network traffic between PeddleCheap and DanderSpritz.

• Dissecting a Bug in the EternalRomance Client - Description of a bug in the implementation of the EternalRomance exploit

• Nsa Shadowbrokers leak: analyzing EPICHERO - Analysis of the EpicHero exploit

Other tools

• danderspritz-evtx - Script for recovering the log file entries deleted by the DaderSpritz tool.

• DanderSpritz_lab - How to set up fully functional DanderSpritz lab for research and experimentation purposes.

• danderspiritz.com - A site, dedicated to information about the DanderSpiritz framework.

• Territorial Dispute – NSA’s perspective on APT landscape - Description of TerritorialDispute - the database used to detect various competing APT tools.

• How The Equation Group Remained Out Of Sight Over The Years (video) - A lecture, describing how the KillSuit framework works.