This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

Security researchers have found a way to reverse the effects of an NSA hacking utility that deletes event logs from compromised machines.

Last week, Fox-IT published a Python script that recovers event log entries deleted using the “eventlogedit” utility that’s part of DanderSpritz, a supposed NSA cyber-weapon that was leaked online by a hacking group known as the Shadow Brokers.

According to Fox-IT, they found a flaw in the DanderSpritz log cleaner when they realized the utility does not actually delete event log entries, but only unreferences them, merging entries together.

How the DanderSpritz utility affects logs

By default, DanderSpritz will merge one or more “compromising” log entries with the clean log entry before it.

When the Windows Event Log app reads a doctored log file, it will read the clean version, see the end tag, and ignore all the content of the unreferenced “bad” events.

This nifty trick allows attackers to hide malicious actions on compromised machines. Using Fox-IT’s new danderspritz-evtx script, investigators can now rebuild the original log file and trace the attacker’s footprints.

The script is available on GitHub and is a must for people investigating compromised machines.

danderspritz-evtx in action

Because DanderSpritz has been leaked for more than half of year, this means that more than NSA operatives are using it today, and some cyber-criminal organizations and malware families might have integrated the technique at the heart of the “eventlogedit” component in their own arsenals.

What is DanderSpritz

DanderSpritz is a post-compromise exploitation framework that includes many other utilities besides the ability to clean logs. The NSA usually used it together with FuzzBunch, an exploitation framework.

NSA operatives would use FuzzBunch to load and run exploits on targeted computers, and later deploy DanderSpritz to find and extract sensitive data, spread to nearby computers, and remove any traces of compromise.

“Think of it as the nation state version of Metasploit’s Meterpreter but with automated Anti-Virus detection & avoidance, and ton of (previously) undetectable tools to dump passwords, gather information, gain persistence, and move laterally,” Francisco Donoso, a researcher for Kudelski Security wrote about DanderSpritz last May.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,