Upload
vokhuong
View
264
Download
0
Embed Size (px)
Citation preview
TOP SECRET//COMINT//REL TO USA, FVEY
[email protected] TOP SECRET//COMINT//REL TO USA, FVEY
"Using the XKS CNE dataset and a DISGRUNTLEDDUCK fingerprint, we now see at least 21 TAO boxes with evidence of this intrusion set, most of which are associated with projects aimed at Iran WMD targets." ~ MHS, July 2010
March, 2011
Overall Classification
The overall classification of this presentation is:
TOP SECRET//COMINT//REL TO USA, FVEY
UNCLASSIFIED//FOUO
SECRET//COMINT//REL TO USA, FVEY
What is XKEYSC©]HB1
A suite of software running on a Linux host Classically, used for DNI processing, selection and survey A distributed hierarchy of servers at field sites and headquarters • Extract and tag metadata & content from traffic • Servicing analyst queries and workflows
Web and programmatic front-ends
SECRET//COMINT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
What is XKEYSC©]HB1
A suite of software running on a Linux host Classically, used for DNI processing, selection and survey A distributed hierarchy of servers at field sites and headquarters • Extract and tag metadata & content from traffic • Servicing analyst queries and workflows
Web and programmatic front-ends
SECRET//COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
X K M e t a v l e w e n s r t a r e d & y f 6 l 0 0 6 5 : c a t e g o r y H l t s a t 6 7 D - M o z i l l a F l r e f c x
h p l_rtir i i s tory l]ookrr;>r<i s ( jp ip
V © ^ I f i f t l B f f l . y x<h-La - i J d l x on : . i i i i d M u y B 1 ^ 3 / X K E Y S C O R E ; ^ d f L h / a L d i J d db«dr( .hr^ i fTVb«dfL l HufTn; uu w j E l h H r r t - l
ESS1377: SDToUdy fu- 1/2/1... x B ElhernaL - WikiuaUid, fr«... x f y S yiidlures x X K M a : a v i a w i e r . s h a r e c b y r . . . k X K E Y S C O R E - Fur A r i a l y i l s •... x *
xUorr io a u d ned to 'USS L 1 V :n: Hu -ran h e hto .nct corrplcnos
X K r Y f ì C O f l T W r t - . r . - m ^ H ^ H c.c] rìixt
f i l o n e ¿ ¿ ^dnin f u s e r o 11. Sca*:h ff'^o^HoA'Ucnfi U\ iuc3u l t2 ft l rgc rp- r i to B1 stilisele:- fèMop S j M / A z c o u n t % ; < K l z r u n ft I l e i : '
- l i i M i v i 2mon i i l c r
A:dree£ee
PEI i - U f - Fil=*
¡ 3 »»•• <V;I:M
[ 3<ey :qq=r
|S|Ma=hins Infzrrration
0 Network ln*:rrrotJDn
Ì^I ^sMi^.ir
" C D M U l ise irc i !
: ¡H jA r r t
r=] - d I Luys
3 Ja:cgor/ UfJl l u l * r
[SEI fj^r.- P««w/r»r-s
[T ]m i r cn t
racws
[5=1 "Viai-nrn- f/^trtrt-1«
j0cu-nen-.-5.qqln:
s liti I A J JH-SaVS
• _<tra:tcd I i l:5
_o: D M
[HI rìftrt Irr'r
• 11 l l J Activity
¡ 3 KE P d
[ H ^ y l - g o f t -
_og ne and =>a2Ew:rd&—
_U
HÌÌ.IL«jijui Gì id
d ì I Pogft • Tt l • Hi | ì^t Clfin-Hrilfìrrti-n l I:»r.pl-.yin3 " - 1 r d l
F rie* F n =>:»n 3Dunt •
l ' 4
slmitfd by fBKW5.C«sltyu 1 y HU...
& I le i : AC-.I0-3- >ZtO-Q>~ Vi Ci'/ * © M i p \ ' C V * I I L I L U S :
Fili IP I Ti! IP . w 1 Si ¡¿ad
F7T.TOF IJ5MG?n
ETT.XX» US967D
Lir.tXJf US-'JWU
ETT.XX» US-967D
CTf.X^Of U&067D
FTf.TOF US^HI)
ETT.XX» US967D
I IMX3F IJ^JRVI]
ETT.XX» US-967D
L\1XV! USUMU
FTf.TOF US^HI)
ETT.XX» US967D
1 imxsr
ETTX30) US-967D
¿ c . v e L « - i Ud.iu
UA^AAftnnn
UJÌ2AÀ0CCB
UPZAAWXB
UA2AÀOOCB
UP2AA0GCB
UA?AAfmrn
UJÌ2AÀ0CCB
IWAAIK Ì IK
UA2AÀOOCB
UPZAMMJB
UA^AAimrn
U^2AA(CCB
IWAAIK Ì IK
U^2AAC«CCB
F i i P u i l T u P u l F 11 CjuiiI / ( F i i C i l / ( P ) Fu L i . i luJr ( = aia -u y i lu j i T j CuunUy (Il Tu Cily (IP) Tu La ?nra
23M
23C4
23W
?nra
23M
23C4
?nra
23M
23(4
1679
3UHJ
1E5S
1120 113fì
1679
7.SWI
3190
112 U
trtf i
1E03
1D63
FR
FR
I I!
FP.
TR
FR
FR
I I?
FP.
I I!
FR
FR
I I?
FP.
WFIJIIIYSIJF
NEUILLYSUF
NLUILLYSUI
WEUILLYSUF
NCUILLYSUr
WFIJII IYSIJF
WEUILLYSUF
NI UH I YKIJI.
WEUILLYSUF
NLUILLYbUI
WFIJII IYSIJF
WEUILLYSUF
Wl IJIII VSIJI.
WEUILLYSUF
4P. VP.
4BXB
onnn
onnn
4££&
227
227
227
227 ^^^
227
¿11
7 77
227 ^^^
227
FR
FR
I U
FR
TR
FR
FR
11?
FR
ìli
FR
FR
11?
FR
NFIJIIIYSUF 40
NEUILLYSUF 18
NLUILLY5UI -W
NEUILLYSUF 48
NCUILLY5UP
NFIJIII YRIJF 40
NEUILLYSUF 18
NI UHI.YKUI- ®
NEUILLYSUF 48
NLUILLYSUI «
NFIJII I YRUF 40
NEUILLYSUF 18
NI UHI.YKUI- ®
NEUILLYSUF 48
Pngr. 1 r i l ì V >| ^ P/ igr 5?i>r/ HC (Jtr.rtNÌ ict*% p-r n i tp l-y i-G ' -n0 fd17J
eavEd 3(^097577^5-313
Uorr 10 audned >o ' U ^ L 1 V :n: Hu -ran h c hto .nct corrplcno^
Duna
TOP SECRET7/COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Examole Seafrch
Let's try a search for suspicious stuff... http_activity search, 5-eyes defeat, look for fingerprints:
ndist/discovery/heuristic/BHAM/get_with_content or http/get/with_content
While the search runs, some gotchas: • You choose where your query is run • Content and metadata age-off • Burden is on user/auditor to comply with
USSID-18 or other rules • Geolocation based on IP
TOP SECRET//COM1NT//REL TO USA, FVEY
n o oi 1 0 0 1 I 0 0 ) 1 0
1 0 0 1 I Û O I l O f SECRET//COMINT//REL TO USA, FVEY
Search Results
¡SI X K s e s s i o n V i e w e r - M o z i l l a F l r e t o x - m
Hie Edit View I li5ior\- Dookmarks Tcols Help IB) ic.gav http s .//* ks -ce ntra I. c orp. n s a .i c g o v 8443/X K= YSC OF. E/l ay o Jtsypc p OutLay Dut j s p ? d ageTi:l 2- S e s s ior Vi e we rS row U1- % 2 f
T h i s system i s a u d i t e d for U S S I D 1 8 a n d H u m a n R i g h t s A c t c o m p l i a n c e C L A S S I H C A t ION: S EC RET / /COMIOT/ jREL T O U S A , A U S , C A N , G K R , IIZL
X - K E Y S C O R E C2C Sess iu i i Y f cwe i
M 4 [ |SeEscq ] [1S J p i 7 | |
Dai2: lme
>i: i1.IK.1 a (1*4/44
c a s e No t a i on
i i i m R / i i M i n i ]
F rOT l IP TO IP
A l r t r F s l l ) |
=rcm 3 o t ! TO D 0 T Prcr.ocD Le nom
-Th/^F Aflrlrpss; 4C«:/U 1 /'ARM ICM y / 4
Sess ion H s n d s - ;3) Me ta (7) Attach m s r . s (1)
o rmate r ASCII owmoa Enter text to s c a r c n
Quick C l i cks ( 5 )
S e s s i c n
Ê Î ^ A l c t u h i n c i Hb
0 ? unknown
S ? lex.
? j-i<nown_515.>: w w
One-3 i i :K S e a r c r e s
0 F i nd f inqerpr i r t
n d i s V d i s c D v e r / . r e L r s
httftfg ct\vith_ccntc nt
n d i s V d i s c D v e i y . r c L r s
• f i n d traffic on
i o |
bJ u n d a r o i n a t i r n
http.-'g clfr-.v.vw-fo-n-url
0 P ind r r n w ha sh
Qd0G2Cf7
0 P ind cpposi'.€ s i d ? cf
1 0 .
L i ±1
GET / ? G Y / i r i n T P / L . D
U s e r A g e n t : 6 2 S 3 L C 3 3 3 F 6 2 D A 7 2 3 3FD2C02->02E7DD2
Auc t r j j L s
H C 3 t : 10 L24Ö3
L c n t e n t - l V c e : a p p i i - a t lonf :< • v w • t o r n • u r i e n c o d e d
L c n n e c t i z x i : Ke=Q-.nLLV=
R e s e t f r o m l o c a l ; ( L 2 3 L i = 2 6 6 1 1 3 4 9 8 0
T h i s system i s a u d i t e d for U S S I D l ö o n d h u m d n R i g h t s A c l c o m p l i a n c e C L A S S I F I C A T I O N : SCCRCT//COMIMT/yRCL T O U S A , A U S , C A N , G DR , HZL
Donc a <s
Notes: • Strange User-Agent • Probably NOT CNE but definitely something non-standard • Content: maybe a HTTP tunnel for some weird protocol? Reset from ¿Local... • Should we write a Fingerprint?
SECRET//COM,INT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
• Useful for identifying classes of traffic or particular targets (for SIGDEV or collection):
mail/webmail/yahoo browser/cellphone/blackberry topic/s2B/chinese_missile
• appid - a contest, highest scoring appid wins
• fingerprint - many fingerprints per session
• microplugin - a fingerprint or appid that is relatively complex (e.g. extracts and databases metadata)
SECRET7/COMINT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
Fingerprints and Appids (mor
• Written in language called "GENESIS" (go genesis-language):
appid('encyclopedia/wikipedia', 2.0) = http_host{'wikipedia' or 'wikimedia *);
fingerprint(1dns/malware/MalwareDomains1) = dns_host(' erofreex. info 1 or ' datayakoz.info ' or ' e rog i r l x . in fo 1 or ' pornero.info ' or . . .
• If a fingerprint contains a schema definition, a search form automatically appears in the XKEYSCORE GUI
• Power users can drop in to C++ to express themselves
SECRET7/COMINT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
More about seafchel
Many different searches • Base search Is Full Log DNI • Depending on traffic type, will generate searchable
results for (example):
HTTP Activity Network Information
GEO Info
Extracted Files Email Addresses
Registry
Logins and Passwords
Document Metadata
Machine Info
workflow - a user query that is run automatically usually every 24 hours
SECRET7/COMINT//REL TO USA, FVEY
SECRET//COMINT//REL TO USA, FVEY
XKEYSCORE Gotchis
Not all sites run latest XKEYSCORE software or fingerprints fingerprint submission: • XKEYSCORE team weighs mission-worthiness of user
fingerprints vs computational cost
Content and metadata ageoff
SECRET7/COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
XKEYSCORE CNB
Lots of endpoint data flows into XKS TAO (no ECIs), GCHQ (almost all) Other limited flows include SIGINT Forensics Center, TAO STAT XKEYSCORE works well for endpoint data Sometimes the paradigm breaks (e.g. collected browser history file)
TOP SECRET//COM1NT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
XKEYSCORE CNE
Payload types: dirwalk, extracted file, system survey, network config, captured credentials, registry query, key logger, etc. Labeled dnt_payioad in appid/fingerprint ontology Let's look at some DANDERSPRITZ data...
TOP SECRET//COM1NT//REL TO USA, FVEY
TOP SECRET//C0M1NT//REL TO USA, FVEY
XKEYSCORE CNE X K S e s s i o n V i e w e r - M o z i l l a F i r e f o x
filp F d t V\f\\ i H¡5*nr/ R n o k m a r k s T o n s H p l n
I B ! i<--yuv h l . p s / / x k s - L e n i i d l . L ü ' - . r i bd . L / 3 Û v : B 4 ^ 3 / X < E v E C O R E / l d y - u l b / | : j L p O u . L x j y û u l j b p ? p d y « T i L e = S = S i > i j r i V e w e - 5 r - v v L r l = % 2 F X K E Y S C C R E % 2 F % 2 = m = l d v i t í i f / t í i « • i
T h i s x y s l nn ixMud i ted far US SID 1 B rind H u m a n R igh t s Ac t campi in race CLASSIFICATION; TOP S CC RE17/C0NI NT.'J'RE L TO U SA, AU S. CAN , G DR, NZL
X K E Y S C O R E C2C Se sawn Viewer
L i j _ S s s s i o n j ^ ^ M *
D=teurre
2 311-04-1Z C2:0G:12
l a s e fJzcailon Frzrn IP "o IP Fron P: r . Te =0 n
cc.y/t 'u j c c a a c u t d
P-cr.oc^ Length
1C074
Scmwt . Hc&dsr(3) || Meto 14)
Q i i c kC l i c k s
Oie-Cl ick 3e& rehes
S ë s s l x
J I i n d l n q c r : r n t
exf ll.'expe rlne n:a p rocès
F ind irc.ffic en
3 F ind açpl lCrttoi
d-it_j:ay oad/processlist
d H n d ozçobiîb eme ot ùbùù 01
:0
EE 1 — F
<Proccss -^Procese ^Process <Pri»«rNN <Pm«r*\ eProcess <Proccss -Procese -^Procese ^Process <Pm«r*\ eProcess eProcess <Proccss -^Procese eProcess eProcess <Pm«r*\ eProcess <Proccss <Proccss -^Procese eProcess <Pri»«rNN <Pm«r*\ eProcess <Proccss -Procese -^Procese eProcess <Pm«r*\ eProcess eProcess <Proccss -^Procese eProcess eProcess <Pm«r*\ eProcess <Proccss d ' r o ccss -^Procese eProcess s E m n a a
c rEOt i c f t f ino- " 23] c r B a t i c n l i n e - ' J J J crBôtlcf iT lne= * 2ZG crwut icfiT¡DK="??yi crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J c r B a t i c n l u i B - ' i J J crBôtlcf iT lne= * 2ZG crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crEôtlcf iTl i ie= -2D] crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crwut icfiT¡DK="??yi crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crwut íc«T¡ok=*?31 c reo t i c f i T i nc - " 2D] c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crEôtlcf iTl i ie= -2D] crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r r ú t i c n l u i c - ' ¿ J J c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] i:rrvi t i m E m g l 2 Z f l
y\ - M
•y\ - m y\ y\
- M
•y\ -y\ - m y\
- M - M
•y\ - m - m ¿M
- M
-/M
- M M M
- M -/M
M - M - M
•y\ - m
¿M - M
05TG0:37 USILO:*; 0STC0: 37
05TC0; 37 05TG0:37 üSI tO:^ üSI tO:^ 0STC0: 37
05TC0; 37 05TC0; 37 05TG0:=S US Ito: 0STC0: 3S 0STC0: 3S
05TC0; 05TG0:=S 05TG0:=S US Ito: 0STC0: 3S
MTC.Ù:^. 05TC0; 05TG0:45 ÜSILO:IS US Ito:1S 0STC0:45
05TC0;4G 05TC0;4G 05TG0:4€
0STC0:56 11T22: 2S
11T22;2S 11T22:2G
-11-¿2:
: 00 ! l / :34
;40 :41 W¿
:54 :S7 :57 :50 : 00
:0ü :01 :01 :û? ;02 :02 :03
:14 4 7
;23 :47
:57 :úñ ;02 ;0G : 15 \2S :53 :03
;30 :30 :0ü :0ü :36 i M
G3125G00D" -¿¿•l^büüJ" 781250003"
70312:00D" E0032E00D" yjy/büüüj"
6^0525003" 171 W û f l / T 7]075000D" (XG37Ü00D" 625X0003" ybüJtUOüJ" 234375003" ¿321375 0 03"
500DC000D" G253G000D" GZ637E003"
562SC0003"
CD123000D" 103340503"
fcUlifchUUJ" 539358603" ^•íñTfifififl?)" 203X]20D" G753S970D" 403522603"
Ç97113903" 560310503" JlfiSñ^SOT' S033S000D" G60S]003"
768>2]503" a s f i z e i m i
d e s c r i p t i o n - ' Oecc r i p t i on - ' desc r lp t loa= ' tlw*cr ¡|il ioii=' ilwftcr ¡|il ioii=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s ilwftcr ¡|il i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s d e s c r i p t i o n s ilwftcr ¡|il i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s ilwftcr ¡|il i011=' tlw*cr ¡|il i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s tlw*cr ¡|i! i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s d e s c r i p t i o n s tlw*cr ¡|i! i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s ricauLi i a l i p i f '
I n ú t i a . . n i t i a . In l t la*. ' n i I ¡rf* ' n i I ¡rf* I n i t i a ' . I n i t i ü". . n i t i a . . n i t i a . In l t la*. ' n i I ¡rf* I n i t i a ' . I n i t i a ' . In i t i a " . . n i t i a . m i l l a ' , m i l l a ' .
•|1¡ I írf* I n i t i a ' . In i t i a " . In i t i a " . . n i t i a . m i l l a ' . •|1¡ I írf* •|1¡ I ¡rf* In i t i a " . In i t i a " . . n i t i a . . n i t i a . m i l l a ' . •|1¡ I írf* In i t i a " . In i t i a " . In i t i a " . . n i t i a . m i l l a ' . S ta r ted SI ir li-il Gtar ted StDrtcd b»tDrtcd b ta r ted S ta r ted S b n Ir»
P W J -pp id-ppld= |l|lBl = |l|lBl = pp id-pp id-pp id-ppid-ppld=
p id- '463 ' p i d - b s y pld=' 723' p¡il=' 79?' p i i ls '844' pid-'OGD' p id - ' 305' pid-'ybá* p id -
p í , | = - - u ü d p i í l - , : 5 X • pe i d p id - ' 1532" ppid p id - ' 1530' ppid p i d - ' . b J ü ' ppití pw= ' :62 j r
piil=' " 67?" uüd: pid-'lG3C' ppid-pid-' 1720" pcid-pid-'1332' ppid-pid-'.y^- ppid-pl<l=' 2216" ppltí: P ¡ i i= '??4rr uüd: p ¡ i ! S ? V * r uüd: pid-' 2G2D' ppid-pid-' 1628' ppid-pid-'-/>b- ppid-
ppití-pKfr '2838' ppld: piil=' ?9Sfi" uüd: p i d - ' 7 5 7 pp id-p i d - ^ ' pp id-p id - ' 3530' ppid-p i d p p i t í -pKfr '4050- ppld: pld=,242^- ppld: P¡||='S1^- U'Jd:
p id- '5440 ' ppid-p i d - ' 5 430' ppid-P ld - ' ¿b3 ' PPKl-
p i d - ' . i y ppid-pld= ,4656" ppld: o í i l= ' 77 * »niil=
PPld= PPld=
3G2 '>12 as 3. c¿2</P rocc 5 s> 110 '^svchzel. 2xe</Procesa 040 '-»svchDst. swe^/Process^ 4*3Û *>svc li I. r-jct-</Pri»«K?iN> 4*3Û . r-jct-c/Pioc 440 '>svchDst. =>íe</Proccs2> 440 '>3vch3st. 2>«c</Proccss>
'^ccbv^-st.exe-í/^roceeo " M poDl£ v. exe-í/P r o c e e o "a40"^risdtc . e^/P r c<es s^
. F K F k / P r c o f w "440">5 v e x ; t . c/e</P rocc55> "440">l IPLase Oe tSe rv i c s . exes/P rocc 5 s >"440">HPSl3vc. c>:c</T roccss>
"a40"^s v o i s t . exe^/P roces s'» :"040,SHH05TS'/Z. EXEc/P roce s :"i34û"psvi i:s I .^>t-</Piocw\v>
"440">5 veles t . cxe</P roccss> "440">Q-V3can. c>:c</P roccss> "440">2 veles t . c>:c</T roccss> "1-1 ü">VfV/areS2rviC2. ex&v P roce c o :"a40"^s vc i c s t . exe^/P roces :"1 " p r j h s i v n ? . FXF^/P m *> :"7?4T'^rJI "Fin?.FXF<^Pn*t-%v> "G5 G"^n iDr \ s z. exc</P roccss> "704">cxplc rcr.cxc</P rocc 5 s> "fa-l'V'^ncU-i. 2xe</Procesa "lb«á"svhV^rel ray. =¡xe</P r ó c e s e :"1683,s>VKta= r e^e r. swe^/P rocess^
lC00">c-.f ix:n. 2xe</Process> lG00">Kps2r\izc , cxy/P recc$s> "5303"> c o i i n c . c>:c</T roccss> "±'4¿-)'*<ie/Ji n. 2xe</Procesa "392"^'log^" .5ir«-/Prc<ess^
n i i : i ja i i .wKç/Prmîxx> "j20">C5 -ss .e«s/Prc<ess> "E20">vinlcqoi .cxc</P rocc 5 s> ázO '>C5 rs 3. P rocc 5 s> " j¿0" ív inLcgo i .exe^/Proc€C í>
•"^Pf)"^ ni 1:1111 i.r*rs7Pmr:v?>;> 11
T h i s system i s aud l t ed Tor USSID IB and H u m a n R igh t s A c t compi la ree CLASSIFICATION; FOP SCCRCT/.'CONINT.'JRELTO USA. AUS , CAN , GDR. NZL
Done
I T
TOP SECRET//COMINT//REL TO USA,, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
XKEYSCORE CNE
• Recent Developments • Upgrade of XKEYSCORE CNE • Keyloggers: keylogger/perfect/extension • PCAP Reiingestion
• Router Redirection
TOP SECRET//COM I NT//REL TO USA, FVEY
TOP SECRET//C0M1NT//REL TO USA, FVEY
Counter CNE Methodojo (refer to Counter CNE Resources slide...)
Hypothesis/research-driven • "Could South Korean CNE be using similar selectors to
FVEY CNE?" • "What keywords could be used to find keyloggers
("example: keylog OR keystroke")
Bogus or Unusual Traffic • HTTP GET with content (example in this presentation) • HTTP POST at odd hours (from Russia 0200-0359Z) • Funky user agents
Kriown-Host or User driven (e.g. drop sites) XKEYSCORE is GOOD at these kinds of things
TOP SECRETY/COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
CNE-Specific
• Registry searches (e.g. SIMBAR) • Fused Active/Passive search
• common selectors • document hashes
• Known Processes (malicious executables or code) ... Let's enhance the process list appid
• map-reduce within CNE cluster using GENESIS calls
TOP SECRET//COM I NT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
XKEYSCORE Doesl't D i • J J
at all (well, automatically, anyways)
Paired traffic heuristic-based approach • HTTP[S] imbalance (e.g. GET without
response) • IP/DNS mismatch*
on an automatic basis Network or host characterization Changes in IP/DNS mapping overtime Changes over time in malware comms
TOP SECRETY/COMINT//REL TO USA, FVEY
TOP SECRET//COMINT//REL TO USA, FVEY
Counter CNE Resourcli • How to Discover Intrusions [using XKEYSCORE] by
arid (paper) • MHS INDEX - Foreign CNE Discovery Page
https://wiki.itd.nsa/wiki/ForeiQn CNE Discovery • CSEC and GCHQ - DONUT (unknown protocols):
https://tiso.siQint.cse/snipehunt/index.php/DONUT • GCHQ Discovery Posted some Research of Detecting Man-on-the-Side
Attacks: https://tiso.sigint.cse/snipehunt/index.php/MOTS
GCQH Disco Team posts POC's for different Intrusions and some Details: https://wiki.qchq/index.php/Discovery
• The GCHQ DISCO team also posts Discovery Theories they run once a week:
https://wiki.gchq/index.php/Discovery Afternoons • XKEYSCORE Fingerprints
TOP SECRETY/COMINT//REL TO USA, FVEY
TOP SECRET//C0M1NT//REL TO USA, FVEY
Success Stor MHS INDE Using TAO-obtained Iranian implant encryption keys, inlin decrypt using XKS microplugin - IRGC-QF keylogger data!
ra x
Fi le E d i t V i e w H i s t o r y B o o k m a r k s l o o l s H e l p
]]o ] h t t p s : / / x k s - c e n t r a l . c o r p . n s a . i c . g o v : 8 4 4 3 / X K E Y S C O R E / l a y o u t s / p o p O u t L a y o u t . J s p ? p a g e T i t l e = S e s s i o n V l e w e r & r o w U r l = % 2 F X K E Y S C O R E % 2 r % 2 F m e t a v i e v i
This system Is nudltod for U SSI D 18 and H urn on Rights Act compliance CLASSIFICATION: TOR SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL
X - K E Y S C O R E C 2 C S e s s i o n V i e w e r
S e s s i o n 15
Detteti mc
2011-03-28 19:51:28 IRS1014
O f 7 Q g ] | > J ,
C a s e Notat ion From IP
7&| Iran)
Prom Por To Port Protoc< Length
United States; 42325 SO tcp 3203
S e s s i o n Header (3) Attachments (2) M e t a (9)
A U T O D o w n l o a d S e s s i o n ] S e a r c h Content: Enter text to search
Q u i c k C l i c k s
S e s s i o n
I-I Attachments
l-J ? unknown
Ü ? text
? keylogger.txt
M D o w n l o a d this f r o m X K E Y S C O R E
keylociaer.txt F O R M A T T E R f A U T O t )
Virus s c a n results C l e a n
f Using T X T formatter
Q Î ^ C l
t J
t J
U
LJ
L=J
? u n k n o w n _ 1 9 3 1 . x - V i f w w - :
One-C l i ck S e a r c h e s < < ( 2 u n r e d d ) Y d h o o i M a x i , i n e h r a b . r a i c i - M o z i l l d F i r e f o x > >
[] [] [] [] [] [] [] [] [] [] [] [] [] [J [J [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] Find fingerprint
ntoc/ntocg/malware/amulet!
botnet/AMULETSTELLAR/ki < < T h e p a g e - a t h t t p : / / u 3 . m g 4 . m a i l . y a h o o . c o m 3 a y 3 : > >
Fine? traffic <?n
78.38.110.163
174.132.180.34
Find application
mail/webmail/ycihoo
Find proxy h a s h
c8bOd875
Find opposi te side of s e s s i o n [ B a c k s p a c e ] s a i r a [ S p a c e ] [ B a c k a p
78;
C U
< < ( O u n r e a d ) Y a h o o 1 M a i l , m e h r i i i
[ ] [ ] [ ] [ ] [ ] [ ] c l o o [ D o w n ]
[ ] [ ] 5 2 5 0 0 2 4 3 0 0
Login [ ]
< < ( 1 u n r e d d ) Y d h o o i M a i l , - M o z i l l a F i r w f o x > >
[ ] [ ] [ ] [ B a c k c p d c e ] c a [ B a c k s p a c e ] [ B a c k a p a c e ] [ ] [ R i g h t A l t ] . ^ ^ [ S p a c e ] . . . [ B a c k c
< < Y a h o o I M e s s e n g e r > >
» z i l l d F i r e f o x > >
m n~i m r THIs system Is Audited for USSID 18 and Human Rights Act compliance CLASSIFICATION: TOR SE CRET//COMINT//RE L TO USA, AUS, CAN. GBR, NZL
D o n e x k s - c e n t r a l . c o r p n s a . i c g o v : 8 4 4 3 tt
TOP SECRET//COMINT//REL TO USA, FVEY
TOP SECRETy/COMINT//REL TO USA, FVEY
Points of Contact MHS Index Team
@nsa.ic.gov
CES/TRANGRESSION
NSA/Countering Foreign Intelligence »nsa.ic.gov
NTOC ?? XKEYSCORE
TOP SECRET//COMINT//REL TO USA, FVEY