TOP SECRET//COMINT//REL TO USA, FVEY - Electronic … · TOP SECRET//COMINT//REL TO USA, FVEY ... l 2- S e s s ior Vi e we rS row U1- % 2 f This ... TO D0T Prcr.ocD Le no m

TOP SECRET//COMINT//REL TO USA, FVEY

[email protected] TOP SECRET//COMINT//REL TO USA, FVEY

"Using the XKS CNE dataset and a DISGRUNTLEDDUCK fingerprint, we now see at least 21 TAO boxes with evidence of this intrusion set, most of which are associated with projects aimed at Iran WMD targets." ~ MHS, July 2010

March, 2011

mailto:[email protected]

Overall Classification

The overall classification of this presentation is:


UNCLASSIFIED//FOUO

SECRET//COMINT//REL TO USA, FVEY

What is XKEYSC©]HB1

A suite of software running on a Linux host Classically, used for DNI processing, selection and survey A distributed hierarchy of servers at field sites and headquarters • Extract and tag metadata & content from traffic • Servicing analyst queries and workflows

Web and programmatic front-ends



What is XKEYSC©]HB1

A suite of software running on a Linux host Classically, used for DNI processing, selection and survey A distributed hierarchy of servers at field sites and headquarters • Extract and tag metadata & content from traffic • Servicing analyst queries and workflows

Web and programmatic front-ends



X K M e t a v l e w e n s r t a r e d & y f 6 l 0 0 6 5 : c a t e g o r y H l t s a t 6 7 D - M o z i l l a F l r e f c x

h p l_rtir i i s tory l]ookrr;>r<i s ( jp ip

V © ^ I f i f t l B f f l . y x<h-La - i J d l x on : . i i i i d M u y B 1 ^ 3 / X K E Y S C O R E ; ^ d f L h / a L d i J d db«dr( .hr^ i fTVb«dfL l HufTn; uu w j E l h H r r t - l

ESS1377: SDToUdy fu- 1/2/1... x B ElhernaL - WikiuaUid, fr«... x f y S yiidlures x X K M a : a v i a w i e r . s h a r e c b y r . . . k X K E Y S C O R E - Fur A r i a l y i l s •... x *

xUorr io a u d ned to 'USS L 1 V :n: Hu -ran h e hto .nct corrplcnos

X K r Y f ì C O f l T W r t - . r . - m ^ H ^ H c.c] rìixt

f i l o n e ¿ ¿ ^dnin f u s e r o 11. Sca*:h ff'ô^HoA'Ucnfi U\ iuc3u l t2 ft l rgc rp- r i to B1 stilisele:- fèMop S j M / A z c o u n t % ; < K l z r u n ft I l e i : '

- l i i M i v i 2mon i i l c r

A:dree£ee

PEI i - U f - Fil=*

¡ 3 »»•• <V;I:M

[ 3<ey :qq=r

|S|Ma=hins Infzrrration

0 Network ln*:rrrotJDn

ÌÎ ^sMi^.ir

" C D M U l ise irc i !

: ¡H jA r r t

r=] - d I Luys

3 Ja:cgor/ UfJl l u l * r

[SEI fj^r.- P««w/r»r-s

[T ]m i r cn t

racws

[5=1 "Viai-nrn- f/^trtrt-1«

j0cu-nen-.-5.qqln:

s liti I A J JH-SaVS

• _<tra:tcd I i l:5

_o: D M

[HI rìftrt Irr'r

• 11 l l J Activity

¡ 3 KE P d

[ H ^ y l - g o f t -

_og ne and =>a2Ew:rd&—

_U

HÌÌ.IL«jijui Gì id

d ì I Pogft • Tt l • Hi | ì^t Clfin-Hrilfìrrti-n l I:»r.pl-.yin3 " - 1 r d l

F rie* F n =>:»n 3Dunt •

l ' 4

slmitfd by fBKW5.C«sltyu 1 y HU...

& I le i : AC-.I0-3- >ZtO-Q>~ Vi Ci'/ * © M i p \ ' C V * I I L I L U S :

Fili IP I Ti! IP . w 1 Si ¡¿ad

F7T.TOF IJ5MG?n

ETT.XX» US967D

Lir.tXJf US-'JWU

ETT.XX» US-967D

CTf.XÔf U&067D

FTf.TOF US^HI)

ETT.XX» US967D

I IMX3F IJ^JRVI]

ETT.XX» US-967D

L\1XV! USUMU

FTf.TOF US^HI)

ETT.XX» US967D

1 imxsr

ETTX30) US-967D

¿ c . v e L « - i Ud.iu

UAÂAftnnn

UJÌ2AÀ0CCB

UPZAAWXB

UA2AÀOOCB

UP2AA0GCB

UA?AAfmrn

UJÌ2AÀ0CCB

IWAAIK Ì IK

UA2AÀOOCB

UPZAMMJB

UAÂAimrn

U^2AA(CCB

IWAAIK Ì IK

U^2AAC«CCB

F i i P u i l T u P u l F 11 CjuiiI / ( F i i C i l / ( P ) Fu L i . i luJr ( = aia -u y i lu j i T j CuunUy (Il Tu Cily (IP) Tu La ?nra

23M

23C4

23W

?nra

23M

23C4

?nra

23M

23(4

1679

3UHJ

1E5S

1120 113fì

1679

7.SWI

3190

112 U

trtf i

1E03

1D63

FR

FR

I I!

FP.

TR

FR

FR

I I?

FP.

I I!

FR

FR

I I?

FP.

WFIJIIIYSIJF

NEUILLYSUF

NLUILLYSUI

WEUILLYSUF

NCUILLYSUr

WFIJII IYSIJF

WEUILLYSUF

NI UH I YKIJI.

WEUILLYSUF

NLUILLYbUI

WFIJII IYSIJF

WEUILLYSUF

Wl IJIII VSIJI.

WEUILLYSUF

4P. VP.

4BXB

onnn

onnn

4££&

227

227

227

227 ^^^

227

¿11

7 77

227 ^^^

227

FR

FR

I U

FR

TR

FR

FR

11?

FR

ìli

FR

FR

11?

FR

NFIJIIIYSUF 40

NEUILLYSUF 18

NLUILLY5UI -W

NEUILLYSUF 48

NCUILLY5UP

NFIJIII YRIJF 40

NEUILLYSUF 18

NI UHI.YKUI- ®

NEUILLYSUF 48

NLUILLYSUI «

NFIJII I YRUF 40

NEUILLYSUF 18

NI UHI.YKUI- ®

NEUILLYSUF 48

Pngr. 1 r i l ì V >| ^ P/ igr 5?i>r/ HC (Jtr.rtNÌ ict*% p-r n i tp l-y i-G ' -n0 fd17J

eavEd 3(^097577^5-313

Uorr 10 audned >o ' U ^ L 1 V :n: Hu -ran h c hto .nct corrplcno^

Duna

TOP SECRET7/COMINT//REL TO USA, FVEY


Examole Seafrch

Let's try a search for suspicious stuff... http_activity search, 5-eyes defeat, look for fingerprints:

ndist/discovery/heuristic/BHAM/get_with_content or http/get/with_content

While the search runs, some gotchas: • You choose where your query is run • Content and metadata age-off • Burden is on user/auditor to comply with

USSID-18 or other rules • Geolocation based on IP

TOP SECRET//COM1NT//REL TO USA, FVEY

n o oi 1 0 0 1 I 0 0 ) 1 0

1 0 0 1 I Û O I l O f SECRET//COMINT//REL TO USA, FVEY

Search Results

¡SI X K s e s s i o n V i e w e r - M o z i l l a F l r e t o x - m

Hie Edit View I li5ior\- Dookmarks Tcols Help IB) ic.gav http s .//* ks -ce ntra I. c orp. n s a .i c g o v 8443/X K= YSC OF. E/l ay o Jtsypc p OutLay Dut j s p ? d ageTi:l 2- S e s s ior Vi e we rS row U1- % 2 f

T h i s system i s a u d i t e d for U S S I D 1 8 a n d H u m a n R i g h t s A c t c o m p l i a n c e C L A S S I H C A t ION: S EC RET / /COMIOT/ jREL T O U S A , A U S , C A N , G K R , IIZL

X - K E Y S C O R E C2C Sess iu i i Y f cwe i

M 4 [ |SeEscq ] [1S J p i 7 | |

Dai2: lme

>i: i1.IK.1 a (1*4/44

c a s e No t a i on

i i i m R / i i M i n i ]

F rOT l IP TO IP

A l r t r F s l l ) |

=rcm 3 o t ! TO D 0 T Prcr.ocD Le nom

-Th/^F Aflrlrpss; 4C«:/U 1 /'ARM ICM y / 4

Sess ion H s n d s - ;3) Me ta (7) Attach m s r . s (1)

o rmate r ASCII owmoa Enter text to s c a r c n

Quick C l i cks ( 5 )

S e s s i c n

Ê Î ^ A l c t u h i n c i Hb

0 ? unknown

S ? lex.

? j-i<nown_515.>: w w

One-3 i i :K S e a r c r e s

0 F i nd f inqerpr i r t

n d i s V d i s c D v e r / . r e L r s

httftfg ct\vith_ccntc nt

n d i s V d i s c D v e i y . r c L r s

• f i n d traffic on

i o |

bJ u n d a r o i n a t i r n

http.-'g clfr-.v.vw-fo-n-url

0 P ind r r n w ha sh

Qd0G2Cf7

0 P ind cpposi'.€ s i d ? cf

1 0 .

L i ±1

GET / ? G Y / i r i n T P / L . D

U s e r A g e n t : 6 2 S 3 L C 3 3 3 F 6 2 D A 7 2 3 3FD2C02->02E7DD2

Auc t r j j L s

H C 3 t : 10 L24Ö3

L c n t e n t - l V c e : a p p i i - a t lonf :< • v w • t o r n • u r i e n c o d e d

L c n n e c t i z x i : Ke=Q-.nLLV=

R e s e t f r o m l o c a l ; ( L 2 3 L i = 2 6 6 1 1 3 4 9 8 0

T h i s system i s a u d i t e d for U S S I D l ö o n d h u m d n R i g h t s A c l c o m p l i a n c e C L A S S I F I C A T I O N : SCCRCT//COMIMT/yRCL T O U S A , A U S , C A N , G DR , HZL

Donc a <s

Notes: • Strange User-Agent • Probably NOT CNE but definitely something non-standard • Content: maybe a HTTP tunnel for some weird protocol? Reset from ¿Local... • Should we write a Fingerprint?

SECRET//COM,INT//REL TO USA, FVEY


• Useful for identifying classes of traffic or particular targets (for SIGDEV or collection):

mail/webmail/yahoo browser/cellphone/blackberry topic/s2B/chinese_missile

• appid - a contest, highest scoring appid wins

• fingerprint - many fingerprints per session

• microplugin - a fingerprint or appid that is relatively complex (e.g. extracts and databases metadata)

SECRET7/COMINT//REL TO USA, FVEY


Fingerprints and Appids (mor

• Written in language called "GENESIS" (go genesis-language):

appid('encyclopedia/wikipedia', 2.0) = http_host{'wikipedia' or 'wikimedia *);

fingerprint(1dns/malware/MalwareDomains1) = dns_host(' erofreex. info 1 or ' datayakoz.info ' or ' e rog i r l x . in fo 1 or ' pornero.info ' or . . .

• If a fingerprint contains a schema definition, a search form automatically appears in the XKEYSCORE GUI

• Power users can drop in to C++ to express themselves



More about seafchel

Many different searches • Base search Is Full Log DNI • Depending on traffic type, will generate searchable

results for (example):

HTTP Activity Network Information

GEO Info

Extracted Files Email Addresses

Registry

Logins and Passwords

Document Metadata

Machine Info

workflow - a user query that is run automatically usually every 24 hours



XKEYSCORE Gotchis

Not all sites run latest XKEYSCORE software or fingerprints fingerprint submission: • XKEYSCORE team weighs mission-worthiness of user

fingerprints vs computational cost

Content and metadata ageoff



XKEYSCORE CNB

Lots of endpoint data flows into XKS TAO (no ECIs), GCHQ (almost all) Other limited flows include SIGINT Forensics Center, TAO STAT XKEYSCORE works well for endpoint data Sometimes the paradigm breaks (e.g. collected browser history file)



XKEYSCORE CNE

Payload types: dirwalk, extracted file, system survey, network config, captured credentials, registry query, key logger, etc. Labeled dnt_payioad in appid/fingerprint ontology Let's look at some DANDERSPRITZ data...


TOP SECRET//C0M1NT//REL TO USA, FVEY

XKEYSCORE CNE X K S e s s i o n V i e w e r - M o z i l l a F i r e f o x

filp F d t V\f\\ i H¡5*nr/ R n o k m a r k s T o n s H p l n

I B ! i<--yuv h l . p s / / x k s - L e n i i d l . L ü ' - . r i bd . L / 3 Û v : B 4 ^ 3 / X < E v E C O R E / l d y - u l b / | : j L p O u . L x j y û u l j b p ? p d y « T i L e = S = S i > i j r i V e w e - 5 r - v v L r l = % 2 F X K E Y S C C R E % 2 F % 2 = m = l d v i t í i f / t í i « • i

T h i s x y s l nn ixMud i ted far US SID 1 B rind H u m a n R igh t s Ac t campi in race CLASSIFICATION; TOP S CC RE17/C0NI NT.'J'RE L TO U SA, AU S. CAN , G DR, NZL

X K E Y S C O R E C2C Se sawn Viewer

L i j _ S s s s i o n j ^ ^ M *

D=teurre

2 311-04-1Z C2:0G:12

l a s e fJzcailon Frzrn IP "o IP Fron P: r . Te =0 n

cc.y/t 'u j c c a a c u t d

P-cr.oc^ Length

1C074

Scmwt . Hc&dsr(3) || Meto 14)

Q i i c kC l i c k s

Oie-Cl ick 3e& rehes

S ë s s l x

J I i n d l n q c r : r n t

exf ll.'expe rlne n:a p rocès

F ind irc.ffic en

3 F ind açpl lCrttoi

d-it_j:ay oad/processlist

d H n d ozçobiîb eme ot ùbùù 01

:0

EE 1 — F

<Proccss -^Procese ^Process <Pri»«rNN <Pm«r*\ eProcess <Proccss -Procese -^Procese ^Process <Pm«r*\ eProcess eProcess <Proccss -^Procese eProcess eProcess <Pm«r*\ eProcess <Proccss <Proccss -^Procese eProcess <Pri»«rNN <Pm«r*\ eProcess <Proccss -Procese -^Procese eProcess <Pm«r*\ eProcess eProcess <Proccss -^Procese eProcess eProcess <Pm«r*\ eProcess <Proccss d ' r o ccss -^Procese eProcess s E m n a a

c rEOt i c f t f ino- " 23] c r B a t i c n l i n e - ' J J J crBôtlcf iT lne= * 2ZG crwut icfiT¡DK="??yi crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J c r B a t i c n l u i B - ' i J J crBôtlcf iT lne= * 2ZG crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crEôtlcf iTl i ie= -2D] crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crwut icfiT¡DK="??yi crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crwut íc«T¡ok=*?31 c reo t i c f i T i nc - " 2D] c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] crEôtlcf iTl i ie= -2D] crwut icfiT¡DK="??yi c reo t i c f i T i nc - " 2D] c r cû t i cnT i i i c - " 2D] c r r ú t i c n l u i c - ' ¿ J J c r B a t i c n l i i i B - ' i J J crEôtlcf iTl i ie= -2D] i:rrvi t i m E m g l 2 Z f l

y\ - M

•y\ - m y\ y\

- M

•y\ -y\ - m y\

- M - M

•y\ - m - m ¿M

- M

-/M

- M M M

- M -/M

M - M - M

•y\ - m

¿M - M

05TG0:37 USILO:*; 0STC0: 37

05TC0; 37 05TG0:37 üSI tO:^ üSI tO:^ 0STC0: 37

05TC0; 37 05TC0; 37 05TG0:=S US Ito: 0STC0: 3S 0STC0: 3S

05TC0; 05TG0:=S 05TG0:=S US Ito: 0STC0: 3S

MTC.Ù:^. 05TC0; 05TG0:45 ÜSILO:IS US Ito:1S 0STC0:45

05TC0;4G 05TC0;4G 05TG0:4€

0STC0:56 11T22: 2S

11T22;2S 11T22:2G

-11-¿2:

: 00 ! l / :34

;40 :41 W¿

:54 :S7 :57 :50 : 00

:0ü :01 :01 :û? ;02 :02 :03

:14 4 7

;23 :47

:57 :úñ ;02 ;0G : 15 \2S :53 :03

;30 :30 :0ü :0ü :36 i M

G3125G00D" -¿¿•l^büüJ" 781250003"

70312:00D" E0032E00D" yjy/büüüj"

6^0525003" 171 W û f l / T 7]075000D" (XG37Ü00D" 625X0003" ybüJtUOüJ" 234375003" ¿321375 0 03"

500DC000D" G253G000D" GZ637E003"

562SC0003"

CD123000D" 103340503"

fcUlifchUUJ" 539358603" ^•íñTfifififl?)" 203X]20D" G753S970D" 403522603"

Ç97113903" 560310503" JlfiSñ^SOT' S033S000D" G60S]003"

768>2]503" a s f i z e i m i

d e s c r i p t i o n - ' Oecc r i p t i on - ' desc r lp t loa= ' tlw*cr ¡|il ioii=' ilwftcr ¡|il ioii=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s ilwftcr ¡|il i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s d e s c r i p t i o n s ilwftcr ¡|il i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s ilwftcr ¡|il i011=' tlw*cr ¡|il i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s tlw*cr ¡|i! i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s d e s c r i p t i o n s tlw*cr ¡|i! i011=' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n - ' d e s c r i p t i o n s ricauLi i a l i p i f '

I n ú t i a . . n i t i a . In l t la*. ' n i I ¡rf* ' n i I ¡rf* I n i t i a ' . I n i t i ü". . n i t i a . . n i t i a . In l t la*. ' n i I ¡rf* I n i t i a ' . I n i t i a ' . In i t i a " . . n i t i a . m i l l a ' , m i l l a ' .

•|1¡ I írf* I n i t i a ' . In i t i a " . In i t i a " . . n i t i a . m i l l a ' . •|1¡ I írf* •|1¡ I ¡rf* In i t i a " . In i t i a " . . n i t i a . . n i t i a . m i l l a ' . •|1¡ I írf* In i t i a " . In i t i a " . In i t i a " . . n i t i a . m i l l a ' . S ta r ted SI ir li-il Gtar ted StDrtcd b»tDrtcd b ta r ted S ta r ted S b n Ir»

P W J -pp id-ppld= |l|lBl = |l|lBl = pp id-pp id-pp id-ppid-ppld=

p id- '463 ' p i d - b s y pld=' 723' p¡il=' 79?' p i i ls '844' pid-'OGD' p id - ' 305' pid-'ybá* p id -

p í , | = - - u ü d p i í l - , : 5 X • pe i d p id - ' 1532" ppid p id - ' 1530' ppid p i d - ' . b J ü ' ppití pw= ' :62 j r

piil=' " 67?" uüd: pid-'lG3C' ppid-pid-' 1720" pcid-pid-'1332' ppid-pid-'.y^- ppid-pl<l=' 2216" ppltí: P ¡ i i= '??4rr uüd: p ¡ i ! S ? V * r uüd: pid-' 2G2D' ppid-pid-' 1628' ppid-pid-'-/>b- ppid-

ppití-pKfr '2838' ppld: piil=' ?9Sfi" uüd: p i d - ' 7 5 7 pp id-p i d - ^ ' pp id-p id - ' 3530' ppid-p i d p p i t í -pKfr '4050- ppld: pld=,242^- ppld: P¡||='S1^- U'Jd:

p id- '5440 ' ppid-p i d - ' 5 430' ppid-P ld - ' ¿b3 ' PPKl-

p i d - ' . i y ppid-pld= ,4656" ppld: o í i l= ' 77 * »niil=

PPld= PPld=

3G2 '>12 as 3. c¿2 110 '^svchzel. 2xe</Procesa 040 '-»svchDst. swe^/Process^ 4*3Û *>svc li I. r-jct-</Pri»«K?iN> 4*3Û . r-jct-c/Pioc 440 '>svchDst. =>íe</Proccs2> 440 '>3vch3st. 2>«c</Proccss>

'^ccbv^-st.exe-í/^roceeo " M poDl£ v. exe-í/P r o c e e o "a40"^risdtc . e^/P r c<es s^

. F K F k / P r c o f w "440">5 v e x ; t . c/e "440">l IPLase Oe tSe rv i c s . exes/P rocc 5 s >"440">HPSl3vc. c>:c</T roccss>

"a40"^s v o i s t . exe^/P roces s'» :"040,SHH05TS'/Z. EXEc/P roce s :"i34û"psvi i:s I .^>t-</Piocw\v>

"440">5 veles t . cxe "440">Q-V3can. c>:c "440">2 veles t . c>:c</T roccss> "1-1 ü">VfV/areS2rviC2. ex&v P roce c o :"a40"^s vc i c s t . exe^/P roces :"1 " p r j h s i v n ? . FXF^/P m *> :"7?4T'^rJI "Fin?.FXF<^Pn*t-%v> "G5 G"^n iDr \ s z. exc "704">cxplc rcr.cxc "fa-l'V'^ncU-i. 2xe</Procesa "lb«á"svhV^rel ray. =¡xeVKta= r eê r. swe^/P rocess^

lC00">c-.f ix:n. 2xe</Process> lG00">Kps2r\izc , cxy/P recc$s> "5303"> c o i i n c . c>:c</T roccss> "±'4¿-)'*<ie/Ji n. 2xe</Procesa "392"^'log^" .5ir«-/Prc<ess^

n i i : i ja i i .wKç/Prmîxx> "j20">C5 -ss .e«s/Prc<ess> "E20">vinlcqoi .cxc ázO '>C5 rs 3. P rocc 5 s> " j¿0" ív inLcgo i .exe^/Proc€C í>

•"^Pf)"^ ni 1:1111 i.r*rs7Pmr:v?>;> 11

T h i s system i s aud l t ed Tor USSID IB and H u m a n R igh t s A c t compi la ree CLASSIFICATION; FOP SCCRCT/.'CONINT.'JRELTO USA. AUS , CAN , GDR. NZL

Done

I T

TOP SECRET//COMINT//REL TO USA,, FVEY


XKEYSCORE CNE

• Recent Developments • Upgrade of XKEYSCORE CNE • Keyloggers: keylogger/perfect/extension • PCAP Reiingestion

• Router Redirection

TOP SECRET//COM I NT//REL TO USA, FVEY


Counter CNE Methodojo (refer to Counter CNE Resources slide...)

Hypothesis/research-driven • "Could South Korean CNE be using similar selectors to

FVEY CNE?" • "What keywords could be used to find keyloggers

("example: keylog OR keystroke")

Bogus or Unusual Traffic • HTTP GET with content (example in this presentation) • HTTP POST at odd hours (from Russia 0200-0359Z) • Funky user agents

Kriown-Host or User driven (e.g. drop sites) XKEYSCORE is GOOD at these kinds of things

TOP SECRETY/COMINT//REL TO USA, FVEY


CNE-Specific

• Registry searches (e.g. SIMBAR) • Fused Active/Passive search

• common selectors • document hashes

• Known Processes (malicious executables or code) ... Let's enhance the process list appid

• map-reduce within CNE cluster using GENESIS calls

TOP SECRET//COM I NT//REL TO USA, FVEY


XKEYSCORE Doesl't D i • J J

at all (well, automatically, anyways)

Paired traffic heuristic-based approach • HTTP[S] imbalance (e.g. GET without

response) • IP/DNS mismatch*

on an automatic basis Network or host characterization Changes in IP/DNS mapping overtime Changes over time in malware comms



Counter CNE Resourcli • How to Discover Intrusions [using XKEYSCORE] by

arid (paper) • MHS INDEX - Foreign CNE Discovery Page

https://wiki.itd.nsa/wiki/ForeiQn CNE Discovery • CSEC and GCHQ - DONUT (unknown protocols):

https://tiso.siQint.cse/snipehunt/index.php/DONUT • GCHQ Discovery Posted some Research of Detecting Man-on-the-Side

Attacks: https://tiso.sigint.cse/snipehunt/index.php/MOTS

GCQH Disco Team posts POC's for different Intrusions and some Details: https://wiki.qchq/index.php/Discovery

• The GCHQ DISCO team also posts Discovery Theories they run once a week:

https://wiki.gchq/index.php/Discovery Afternoons • XKEYSCORE Fingerprints


https://wiki.itd.nsa/wiki/ForeiQn

https://tiso.siQint.cse/snipehunt/index.php/DONUT

https://tiso.sigint.cse/snipehunt/index.php/MOTS

https://wiki.qchq/index.php/Discovery

https://wiki.gchq/index.php/Discovery


Success Stor MHS INDE Using TAO-obtained Iranian implant encryption keys, inlin decrypt using XKS microplugin - IRGC-QF keylogger data!

ra x

Fi le E d i t V i e w H i s t o r y B o o k m a r k s l o o l s H e l p

]]o ] h t t p s : / / x k s - c e n t r a l . c o r p . n s a . i c . g o v : 8 4 4 3 / X K E Y S C O R E / l a y o u t s / p o p O u t L a y o u t . J s p ? p a g e T i t l e = S e s s i o n V l e w e r & r o w U r l = % 2 F X K E Y S C O R E % 2 r % 2 F m e t a v i e v i

This system Is nudltod for U SSI D 18 and H urn on Rights Act compliance CLASSIFICATION: TOR SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL

X - K E Y S C O R E C 2 C S e s s i o n V i e w e r

S e s s i o n 15

Detteti mc

2011-03-28 19:51:28 IRS1014

O f 7 Q g ] | > J ,

C a s e Notat ion From IP

7&| Iran)

Prom Por To Port Protoc< Length

United States; 42325 SO tcp 3203

S e s s i o n Header (3) Attachments (2) M e t a (9)

A U T O D o w n l o a d S e s s i o n ] S e a r c h Content: Enter text to search

Q u i c k C l i c k s

S e s s i o n

I-I Attachments

l-J ? unknown

Ü ? text

? keylogger.txt

M D o w n l o a d this f r o m X K E Y S C O R E

keylociaer.txt F O R M A T T E R f A U T O t )

Virus s c a n results C l e a n

f Using T X T formatter

Q Î ^ C l

t J

t J

U

LJ

L=J

? u n k n o w n _ 1 9 3 1 . x - V i f w w - :

One-C l i ck S e a r c h e s < < ( 2 u n r e d d ) Y d h o o i M a x i , i n e h r a b . r a i c i - M o z i l l d F i r e f o x > >

[] [] [] [] [] [] [] [] [] [] [] [] [] [J [J [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] [] Find fingerprint

ntoc/ntocg/malware/amulet!

botnet/AMULETSTELLAR/ki < < T h e p a g e - a t h t t p : / / u 3 . m g 4 . m a i l . y a h o o . c o m 3 a y 3 : > >

Fine? traffic <?n

78.38.110.163

174.132.180.34

Find application

mail/webmail/ycihoo

Find proxy h a s h

c8bOd875

Find opposi te side of s e s s i o n [ B a c k s p a c e ] s a i r a [ S p a c e ] [ B a c k a p

78;

C U

< < ( O u n r e a d ) Y a h o o 1 M a i l , m e h r i i i

[ ] [ ] [ ] [ ] [ ] [ ] c l o o [ D o w n ]

[ ] [ ] 5 2 5 0 0 2 4 3 0 0

Login [ ]

< < ( 1 u n r e d d ) Y d h o o i M a i l , - M o z i l l a F i r w f o x > >

[ ] [ ] [ ] [ B a c k c p d c e ] c a [ B a c k s p a c e ] [ B a c k a p a c e ] [ ] [ R i g h t A l t ] . ^ ^ [ S p a c e ] . . . [ B a c k c

< < Y a h o o I M e s s e n g e r > >

» z i l l d F i r e f o x > >

m n~i m r THIs system Is Audited for USSID 18 and Human Rights Act compliance CLASSIFICATION: TOR SE CRET//COMINT//RE L TO USA, AUS, CAN. GBR, NZL

D o n e x k s - c e n t r a l . c o r p n s a . i c g o v : 8 4 4 3 tt


https://xks-central.corp.nsa.ic.gov:8443/XKEYSCORE/layouts/popOutLayout.Jsp?pageTitle

TOP SECRETy/COMINT//REL TO USA, FVEY

Points of Contact MHS Index Team

@nsa.ic.gov

CES/TRANGRESSION

NSA/Countering Foreign Intelligence »nsa.ic.gov

NTOC ?? XKEYSCORE

: [email protected]


mailto:[email protected]

Documents

TOP SECRET//COMINT//REL TO USA, FVEY - Electronic … · TOP SECRET//COMINT//REL TO USA, FVEY ... l 2- S e s s ior Vi e we rS row U1- % 2 f This ... TO D0T Prcr.ocD Le no m