What is Killsuit and how does it work
What is Killsuit
Killsuit (KiSu) is a modular persistence and capability mechanism employed in post-exploitation frameworks including Danderspritz (DdSz), which was developed by The Equation Group and leaked in April 2017 by The Shadow Brokers as part of the “Lost in Translation” leak. KiSu is used for two reasons – it enables persistence on a host and it works as a sort of catalyst allowing specific exploitative functions to be conducted.
How does Killsuit infect a machine
As KiSu is a post-exploitation tool it is used as part of a hands-on-keyboard attack where a malicious actor is actively compromising a network. The DdSz exploitation framework includes various tools including PeddleCheap (PC), a payload that can allow for a highly tuned interaction with a compromised host. PC is a post-exploitation tool that can install KiSu instances on a host in order to run its various capabilities as part of the attacker’s process. Although PC is loaded onto a host typically though a tool such as DoublePulsar and as such injected into a running process, KiSu is installed deliberately as an action of the PC payload as a post-exploitation operation.