Documents
XKS for Counter CNE
July 1, 2015
TOP TO USA, FVEY
?Using the XKS CNE dataset and a i
DISGRUNTLEDDUCK fingerprint, we now see at ieast
21 TAO boxes with evidence of this intrusion set, most
of which are associated with projects aimed at Iran
WMD targets." -- MHS, July 2010
MarchUSA, FVEY
TOP TO USA, FVEY
?Using the XKS CNE dataset and a i
DISGRUNTLEDDUCK fingerprint, we now see at ieast
21 TAO boxes with evidence of this intrusion set, most
of which are associated with projects aimed at Iran
WMD targets." -- MHS, July 2010
MarchUSA, FVEY
Overall Classificatio
The overall classification of this
presentation is:
TOP TO USA, FVEY
Overall Classificatio
The overall classification of this
presentation is:
TOP TO USA, FVEY
TO USA, FVEY
7 at is
- A suite of software running on a Linux host
- Classically, used for DNI processing,
selection and survey
- A distributed hierarchy of servers at field
sites and headquarters
- Extract and tag metadata content from traffic
- Servicing analyst queries and workflows
- Web and programmatic front-ends
TO USA, FVEY
TO USA, FVEY
7 at is
- A suite of software running on a Linux host
- Classically, used for DNI processing,
selection and survey
- A distributed hierarchy of servers at field
sites and headquarters
- Extract and tag metadata content from traffic
- Servicing analyst queries and workflows
- Web and programmatic front-ends
TO USA, FVEY
TO USA, FVEY
7 at is
- A suite of software running on a Linux host
- Classically, used for DNI processing,
selection and survey
- A distributed hierarchy of servers at field
sites and headquarters
- Extract and tag metadata content from traffic
- Servicing analyst queries and workflows
- Web and programmatic front-ends
TO USA, FVEY
TO USA, FVEY
7 at is
- A suite of software running on a Linux host
- Classically, used for DNI processing,
selection and survey
- A distributed hierarchy of servers at field
sites and headquarters
- Extract and tag metadata content from traffic
- Servicing analyst queries and workflows
- Web and programmatic front-ends
TO USA, FVEY
TOP TO USA, FVEY
IF: Metlurewer: shared by Hft: at ETD - Flrefux
II glen: I Igrnr'}: ?nnkn?er? _nn 5 Help
-
a I'llpa UL: [1131' w:
I ru- I lEElherna- - 'Il'u'il?uadid. :13 I gl'dLJ'Ebi I D3- if TE HHEVSCEHE - Fur gala; 3
:r'ctc-Ir L: 1
33:33:34: I: w: mg :33
Elm: ??dnm ?32m 333-31 I I-ucrp-ntz. 5:331:33 Eran:- Amunt E?xm :rurI r4 Hm:-
IQ I'Eil I
Elsewul'w?w? I. . ann 1'1 3 .175 [Elan'E-anrt'zh'n lI-Irn- Hum-113m; .1 .111
m:
WEB BB
1?
33.3 14
i?z-I?lims;
a n]
523',- :n:-Jar
[El I
El 323-311 slmwu mmamwly
II:
II3I: 3.13." IILILII5:
I: .L'll Egad Lht'l E'tlht' ll TI.I Pull ll 5H: FI lCilf FII I: .3 gilu.?l TI.I Cit} (IF: LH.
5 1? Hwir?-? mum! ?543m: ?3333:3113 m? 5334 33:31 HFIJII I 3543: 4333 3 Fl? I 35-33: at?
LII-lama:sz 55- 2354 1533 FFI: 4333 33? FR 33
[3 533533 . . . . . .
lLlh?iJf uwu umuu 55- 3334 3133 ll! 4333 .335 II: 43
I: U45
magnum WE 5334 1353 F3. 4333 33? FR 33 3
I533 Imam? 3:113:33 umn LIME 55- 2.334 L135 r5: 4333 33? HEUILLTEUF 43
Tin-.1 Pam-mm. ?533:3 ?3333mm 5334 11:13 I Imus 4333 Ive-1H5 .II
Ellillr'?l'It LII-lawns 55- 2354 15.3; FFI: 4333 33? FR HEUILLTEUF 33?
El 315 5.5- i-?i-FlI-ul- 3-53? I I5 I-.II 4353-: II: HI I
I mam-I23 55- 5334 3:133 FP. 4333 23? FR 43
I'll
??aw us-Imu LIME 35- 2:34 mu 4333 335 II: 43
I ?awn Imam? 5:134 1531 4333 Fl?
San -3: DH FF- 2354 1543 FFI: 4333 325 FR 43
It Inn-334nm: 5.5- 3334 Hill!" HI 4331-: HI II
El 33333:: MB Ff- 5334 1553 PP. 4333 23? FR 43:
I I
iryl?ggn'
and 1-: . P393 1 rf l'i l? #1 P393 Eirn' TIE raw-I rI.-r p1 gr.) Flier] eyi35313557333313
:r'ctc-Ir L: 1
lune
TOP TO USA, FVEY
TOP TO USA, FVEY
IF: Metlurewer: shared by Hft: at ETD - Flrefux
II glen: I Igrnr'}: ?nnkn?er? _nn 5 Help
-
a I'llpa UL: [1131' w:
I ru- I lEElherna- - 'Il'u'il?uadid. :13 I gl'dLJ'Ebi I D3- if TE HHEVSCEHE - Fur gala; 3
:r'ctc-Ir L: 1
33:33:34: I: w: mg :33
Elm: ??dnm ?32m 333-31 I I-ucrp-ntz. 5:331:33 Eran:- Amunt E?xm :rurI r4 Hm:-
IQ I'Eil I
Elsewul'w?w? I. . ann 1'1 3 .175 [Elan'E-anrt'zh'n lI-Irn- Hum-113m; .1 .111
m:
WEB BB
1?
33.3 14
i?z-I?lims;
a n]
523',- :n:-Jar
[El I
El 323-311 slmwu mmamwly
II:
II3I: 3.13." IILILII5:
I: .L'll Egad Lht'l E'tlht' ll TI.I Pull ll 5H: FI lCilf FII I: .3 gilu.?l TI.I Cit} (IF: LH.
5 1? Hwir?-? mum! ?543m: ?3333:3113 m? 5334 33:31 HFIJII I 3543: 4333 3 Fl? I 35-33: at?
LII-lama:sz 55- 2354 1533 FFI: 4333 33? FR 33
[3 533533 . . . . . .
lLlh?iJf uwu umuu 55- 3334 3133 ll! 4333 .335 II: 43
I: U45
magnum WE 5334 1353 F3. 4333 33? FR 33 3
I533 Imam? 3:113:33 umn LIME 55- 2.334 L135 r5: 4333 33? HEUILLTEUF 43
Tin-.1 Pam-mm. ?533:3 ?3333mm 5334 11:13 I Imus 4333 Ive-1H5 .II
Ellillr'?l'It LII-lawns 55- 2354 15.3; FFI: 4333 33? FR HEUILLTEUF 33?
El 315 5.5- i-?i-FlI-ul- 3-53? I I5 I-.II 4353-: II: HI I
I mam-I23 55- 5334 3:133 FP. 4333 23? FR 43
I'll
??aw us-Imu LIME 35- 2:34 mu 4333 335 II: 43
I ?awn Imam? 5:134 1531 4333 Fl?
San -3: DH FF- 2354 1543 FFI: 4333 325 FR 43
It Inn-334nm: 5.5- 3334 Hill!" HI 4331-: HI II
El 33333:: MB Ff- 5334 1553 PP. 4333 23? FR 43:
I I
iryl?ggn'
and 1-: . P393 1 rf l'i l? #1 P393 Eirn' TIE raw-I rI.-r p1 gr.) Flier] eyi35313557333313
:r'ctc-Ir L: 1
lune
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
Exa Ie
- Let?s try a search for suspicious
http_activity search, 5-eyes defeat, look for fingerprints:
- While the search runs, some gotchas:
- You choose where your query is run
- Content and metadata age?off
- Burden is on user/auditor to comply with
USSID-18 or other rules
- Geolocation based on IP
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
Exa Ie
- Let?s try a search for suspicious
http_activity search, 5-eyes defeat, look for fingerprints:
- While the search runs, some gotchas:
- You choose where your query is run
- Content and metadata age?off
- Burden is on user/auditor to comply with
USSID-18 or other rules
- Geolocation based on IP
TOP TO USA, FVEY
TO USA,
Search Results
-
jle Edit glow lliitorg' Qooltrnarlts Idol; Help
I
I I I
This system is audit-1d for 13 and Human Rights act compliance
l? U511, M15.
[la?1'
- Probably NOT CNE
34m [Ii-or 3? 1 1 l-lL-i lJrruIalF: more: 1 {1?1117} er=n= A1111er norm 1 3on1
but definitely
FECII Enter tin-ct to soonUaer Flaunt:
EEK?LLuulunuan lD?lE-l??
El Lantant- 15-132: a I I a r-
LGEBZUM:
I:
I J1ian?515'hm Ecnct fit-211.1 lncalaiIJELI nag 1552134935?:
- Content: maybe a
El Find fingergri rt
HTFP tunnel for some
a weird protocol?
1n?
a Reset from locall . .
El Find heal-
- Should we write a
132?430?
Fingerprint?
I ll
This Hahn [m ?ilhls Hal cumpliunu:
USA. ALIS. CAN HIL
Donn: a
TO USA, FVEY
TO USA,
Search Results
-
jle Edit glow lliitorg' Qooltrnarlts Idol; Help
I
I I I
This system is audit-1d for 13 and Human Rights act compliance
l? U511, M15.
[la?1'
- Probably NOT CNE
34m [Ii-or 3? 1 1 l-lL-i lJrruIalF: more: 1 {1?1117} er=n= A1111er norm 1 3on1
but definitely
FECII Enter tin-ct to soonUaer Flaunt:
EEK?LLuulunuan lD?lE-l??
El Lantant- 15-132: a I I a r-
LGEBZUM:
I:
I J1ian?515'hm Ecnct fit-211.1 lncalaiIJELI nag 1552134935?:
- Content: maybe a
El Find fingergri rt
HTFP tunnel for some
a weird protocol?
1n?
a Reset from locall . .
El Find heal-
- Should we write a
132?430?
Fingerprint?
I ll
This Hahn [m ?ilhls Hal cumpliunu:
USA. ALIS. CAN HIL
Donn: a
TO USA, FVEY
TO USA, FVEY
7 Fin - - ri Lll??l Gigi
- Useful for identifying classes of traffic or
particular targets (for SIGDEV or collection):
mail/webmail/yahoo
browser/Gellphone/blackberry
topic/sZB/chinese4missile
0 appid a contest, highest scoring appid wins
0 fingerprint many fingerprints per session
- microplugin a fingerprint or appid that is
relatively complex extracts and databases
metadata)
TO USA, FVEY
TO USA, FVEY
7 Fin - - ri Lll??l Gigi
- Useful for identifying classes of traffic or
particular targets (for SIGDEV or collection):
mail/webmail/yahoo
browser/Gellphone/blackberry
topic/sZB/chinese4missile
0 appid a contest, highest scoring appid wins
0 fingerprint many fingerprints per session
- microplugin a fingerprint or appid that is
relatively complex extracts and databases
metadata)
TO USA, FVEY
TO USA,
Fingerprints and Appi (more)
- Written in language called (go
genesis?language):
2.0)
or 'wikimedia?);
dns_host(' erofreex.info or datayakoz.info
or erogirlx.info or pornero.info or
If a fingerprint contains a schema definition, a
search form automatically appears in the
XKEYSCORE GUI
- Power users can drop in to to express
themselves
TO USA, FVEY
TO USA,
Fingerprints and Appi (more)
- Written in language called (go
genesis?language):
2.0)
or 'wikimedia?);
dns_host(' erofreex.info or datayakoz.info
or erogirlx.info or pornero.info or
If a fingerprint contains a schema definition, a
search form automatically appears in the
XKEYSCORE GUI
- Power users can drop in to to express
themselves
TO USA, FVEY
TO USA,
More about seaf
- Many different searches
I Base search is Full Log DNI
I Depending on traffic type, will generate searchable
results for (example):
HTFP Activity Network GEO Info
Information
Extracted Files Email Registry
Addresses
Logins and Document Machine Info
Passwords Metadata
0 workfIOW a user query that is run
automatically usually every 24 hours
TO USA, FVEY
TO USA,
More about seaf
- Many different searches
I Base search is Full Log DNI
I Depending on traffic type, will generate searchable
results for (example):
HTFP Activity Network GEO Info
Information
Extracted Files Email Registry
Addresses
Logins and Document Machine Info
Passwords Metadata
0 workfIOW a user query that is run
automatically usually every 24 hours
TO USA, FVEY
TO USA,
- Not all sites run latest XKEYSCORE
software or fingerprints
- fingerprint submission:
- XKEYSCORE team weighs mission-worthiness of user
fingerprints vs computational cost
- Content and metadata ageoff
TO USA, FVEY
TO USA,
- Not all sites run latest XKEYSCORE
software or fingerprints
- fingerprint submission:
- XKEYSCORE team weighs mission-worthiness of user
fingerprints vs computational cost
- Content and metadata ageoff
TO USA, FVEY
TOP TO USA, FVEY
Lots of endpoint data flows into XKS
TAO (no ECIs), GCHQ (almost all)
Other limited flows include SIGINT
Forensics Center, TAO STAT
XKEYSCORE works well for endpoint data
Sometimes the paradigm breaks
collected browser history file)
TOP TO USA, FVEY
TOP TO USA, FVEY
Lots of endpoint data flows into XKS
TAO (no ECIs), GCHQ (almost all)
Other limited flows include SIGINT
Forensics Center, TAO STAT
XKEYSCORE works well for endpoint data
Sometimes the paradigm breaks
collected browser history file)
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
- Payload types:
dirwalk, extracted file, system
survey, network config, captured
credentials, registry query, key
logger, etc.
Labeled dnt_payload in appid/fingerprint
ontology
- Let?s look at some DANDERSPRITZ
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
- Payload types:
dirwalk, extracted file, system
survey, network config, captured
credentials, registry query, key
logger, etc.
Labeled dnt_payload in appid/fingerprint
ontology
- Let?s look at some DANDERSPRITZ
TOP TO USA, FVEY
TOP TO USA, FVEY
XKEYSCORE CNE mi
?le En?r Elm-u HiEI'nr'f
I Jinks-Len? Had. Luau-u: Bil-?33?! 3:5555iur1 'Iu' FEE TECG 1'62 =rT1Ei=wiE
r: nk'l'na H5:
Inn 5
UTEHEF - H?lill? Fire?u.
GE
31 2
35!?
Thisaiylilun irn-Iudilui fur and Human
II: LELEE FICATIDH: 5 RETFHIEH-I HTHFI TIEI 5h. AU 5. 12AM . '3
?Ill'icwc
PIT. TE
assign Haadari?: um. :41
mil-lath
$59954:-
FI 3E
_l I nt
l1.-
El?.
El
d?lleaJ
:l I?Ind nap-Jana Eula at Baas:
{Process
tPruca-aa
{Process
{Process
{Process
rPrucess
tF'ruca-aa.
tF'ruca-aa.
EPW121155-
{Princess
tPruca-aa.
{Process
{Process
tPruca-aa
{Process
{Process
rPrucess
tF'ruca-aa.
{Process
cl'mmaa
{Princess
cruntianTim??EEI -
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll
EIt'J-ll
-
-
craat1anl1aa?'
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll
-
-
-
creatln-nl
-
-
EIt'J-ll -
-
-
-
crEIatln-nl
-
-
EIt'J-ll -
-
-
craat1anl1aa-'
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll
-
-
-
craatmnl
-
-
EIt'J-ll -
-
-
urn-atln-nl -
creatln-nl
-
P??I'LLlu'lulJ' IHL
IEIJ: L'a'?l'liu'hll?'d"
.E'iE'ilIl??"
3?
IED: ME.
in??
35'
IEEI:
312500330003"
IEIJ:
151539313533"
IED: 2-1
5.1112!
5.1132:
5.1112:
IEE: ii
- 1112115135.?5353] 5
Iii-:51: riptian-' Initial'
da?anptiar'
HERE r1pt1an=' Initial"
"Hi
"Hi
daacriptiunJ Initial
daaudptiam' Initial
113151: ript1arI-' _nitia_
113151: rip-narr' _nitia_'
HERE r1pt1an=' :nitla'.
"Hi
daacriptinn?' Initial
daacdptiw' Initial
Iii-:51: riptian-' Initial
-nitia-'
r1pt1an=' :nitla'.
HIE-51: rlptiam' :nitla'."
'Ili
daacdptiw' Initial
Iii-:51: riptian-' Initial
Iii-:51: riptian-' Initial
daecnptiar' -nitia-
tie-'31: r1pt1an='
'Ili
Il??tri?l 'Ili
daacriptiun?' Initial
Iii-:51: riptian-' Initial
113151: rip-narr' _nitia_
_nitia_
descriptiarp' Initial"
"Hi
daacriptiun?' Initial
daacdptiw' Initial
daaudptiam' Initial
113151: rip-narr' _nitia_
HERE r1pt1an=' Initial"
11-351: r1pt1an=' Started"
5
daacriptinn?' Star'tcd"
daaudptiam' Start-2d"
nut1an-' t-tar'tcd"
dean npt1an-' btar?ted"
descriptimp' Started"
lid-453'
p1a='723'
lid?'BEJ'
rid-'EGS'
f1d='2215'
lid?1:321:-
uni?'er'
lid-'TSS'
lid?'45?
uni?1211'
IsaudIt-atl Tar and Human
5E1: Ll 5h. AU 5. CAN. GER.
paid- I3-1.: as: .caad??raccash
ppjd- :Hcac?'mmaab
pp?-
at:
mid?"44mm 'Jc't?cr'uic: . I:wa run-Eras":
.i-J-L-Hu'Flnu-inu
. BIB-1.4
uran-
rag-i. Erie-t-I'llra-zasaa-
re?ner. Enter-I11 run-29555
ppjd? .axaur'Prn-Eaasa
EHIPWDEIEEJ-
agar .5
'55 .amfP?rnnass-r
unad- 'ia'lil .caadxrraccash
TOP TO USA, FVEY
Len gin
TOP TO USA, FVEY
XKEYSCORE CNE mi
?le En?r Elm-u HiEI'nr'f
I Jinks-Len? Had. Luau-u: Bil-?33?! 3:5555iur1 'Iu' FEE TECG 1'62 =rT1Ei=wiE
r: nk'l'na H5:
Inn 5
UTEHEF - H?lill? Fire?u.
GE
31 2
35!?
Thisaiylilun irn-Iudilui fur and Human
II: LELEE FICATIDH: 5 RETFHIEH-I HTHFI TIEI 5h. AU 5. 12AM . '3
?Ill'icwc
PIT. TE
assign Haadari?: um. :41
mil-lath
$59954:-
FI 3E
_l I nt
l1.-
El?.
El
d?lleaJ
:l I?Ind nap-Jana Eula at Baas:
{Process
tPruca-aa
{Process
{Process
{Process
rPrucess
tF'ruca-aa.
tF'ruca-aa.
EPW121155-
{Princess
tPruca-aa.
{Process
{Process
tPruca-aa
{Process
{Process
rPrucess
tF'ruca-aa.
{Process
cl'mmaa
{Princess
cruntianTim??EEI -
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll
EIt'J-ll
-
-
craat1anl1aa?'
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll
-
-
-
creatln-nl
-
-
EIt'J-ll -
-
-
-
crEIatln-nl
-
-
EIt'J-ll -
-
-
craat1anl1aa-'
craat1anl1aa?'
craatlanTlaE='
EIt'J-ll
-
-
-
craatmnl
-
-
EIt'J-ll -
-
-
urn-atln-nl -
creatln-nl
-
P??I'LLlu'lulJ' IHL
IEIJ: L'a'?l'liu'hll?'d"
.E'iE'ilIl??"
3?
IED: ME.
in??
35'
IEEI:
312500330003"
IEIJ:
151539313533"
IED: 2-1
5.1112!
5.1132:
5.1112:
IEE: ii
- 1112115135.?5353] 5
Iii-:51: riptian-' Initial'
da?anptiar'
HERE r1pt1an=' Initial"
"Hi
"Hi
daacriptiunJ Initial
daaudptiam' Initial
113151: ript1arI-' _nitia_
113151: rip-narr' _nitia_'
HERE r1pt1an=' :nitla'.
"Hi
daacriptinn?' Initial
daacdptiw' Initial
Iii-:51: riptian-' Initial
-nitia-'
r1pt1an=' :nitla'.
HIE-51: rlptiam' :nitla'."
'Ili
daacdptiw' Initial
Iii-:51: riptian-' Initial
Iii-:51: riptian-' Initial
daecnptiar' -nitia-
tie-'31: r1pt1an='
'Ili
Il??tri?l 'Ili
daacriptiun?' Initial
Iii-:51: riptian-' Initial
113151: rip-narr' _nitia_
_nitia_
descriptiarp' Initial"
"Hi
daacriptiun?' Initial
daacdptiw' Initial
daaudptiam' Initial
113151: rip-narr' _nitia_
HERE r1pt1an=' Initial"
11-351: r1pt1an=' Started"
5
daacriptinn?' Star'tcd"
daaudptiam' Start-2d"
nut1an-' t-tar'tcd"
dean npt1an-' btar?ted"
descriptimp' Started"
lid-453'
p1a='723'
lid?'BEJ'
rid-'EGS'
f1d='2215'
lid?1:321:-
uni?'er'
lid-'TSS'
lid?'45?
uni?1211'
IsaudIt-atl Tar and Human
5E1: Ll 5h. AU 5. CAN. GER.
paid- I3-1.: as: .caad??raccash
ppjd- :Hcac?'mmaab
pp?-
at:
mid?"44mm 'Jc't?cr'uic: . I:wa run-Eras":
.i-J-L-Hu'Flnu-inu
. BIB-1.4
uran-
rag-i. Erie-t-I'llra-zasaa-
re?ner. Enter-I11 run-29555
ppjd? .axaur'Prn-Eaasa
EHIPWDEIEEJ-
agar .5
'55 .amfP?rnnass-r
unad- 'ia'lil .caadxrraccash
TOP TO USA, FVEY
Len gin
TOP SECR MIN EL TO USA, FVEY
XKEYSCORE
- Recent Developments
- Upgrade of XKEYSCORE CNE
- Keyloggers: keylogger/perfect/extension
- PCAP Reingestion
- Router Redirection
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
XKEYSCORE
- Recent Developments
- Upgrade of XKEYSCORE CNE
- Keyloggers: keylogger/perfect/extension
- PCAP Reingestion
- Router Redirection
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
nter CN oddity-9y
(refer to Counter CNE Resources
. ..
.Itl .)
. II
I II
I
I
r'lj'f a]
I
I
1
- Hypothesis/research?driven
I ?Could South Korean CNE be using similar selectors to
FVEY
I ?What keywords could be used to find keyloggers
(?example: keylog OR keystroke?)
- Bogus or Unusual Traffic
I GET with content (example in this presentation)
- HTFP POST at odd hours (from Russia 0200-03592)
- Funky user agents
- Known-Host or User driven drop sites)
0 XKEYSCORE is GOOD at these kinds of things
TOP TO USA, FVEY
TOP SECR MIN EL TO USA, FVEY
nter CN oddity-9y
(refer to Counter CNE Resources
. ..
.Itl .)
. II
I II
I
I
r'lj'f a]
I
I
1
- Hypothesis/research?driven
I ?Could South Korean CNE be using similar selectors to
FVEY
I ?What keywords could be used to find keyloggers
(?example: keylog OR keystroke?)
- Bogus or Unusual Traffic
I GET with content (example in this presentation)
- HTFP POST at odd hours (from Russia 0200-03592)
- Funky user agents
- Known-Host or User driven drop sites)
0 XKEYSCORE is GOOD at these kinds of things
TOP TO USA, FVEY
TOP TO USA, FVEY
CNE-S
- Registry searches SIMBAR)
Fused Active/ Passive search
0 common selectors
- document hashes
- Known Processes (malicious
executables or code)
Let?s enhance the process list appid
- map-reduce within CNE cluster using
GENESIS calls
TOP TO USA, FVEY
TOP TO USA, FVEY
CNE-S
- Registry searches SIMBAR)
Fused Active/ Passive search
0 common selectors
- document hashes
- Known Processes (malicious
executables or code)
Let?s enhance the process list appid
- map-reduce within CNE cluster using
GENESIS calls
TOP TO USA, FVEY
TOP TO USA, FVEY
KEYS co RE weeps
0 at all (well, automatically, anyways)
- Paired traffic heuristic-based approach
In imbalance GET without
response)
- mismatch*
- on an automatic basis
- Network or host characterization
- Changes in mapping over time
- Changes over time in malware comms
TOP TO USA, FVEY
TOP TO USA, FVEY
KEYS co RE weeps
0 at all (well, automatically, anyways)
- Paired traffic heuristic-based approach
In imbalance GET without
response)
- mismatch*
- on an automatic basis
- Network or host characterization
- Changes in mapping over time
- Changes over time in malware comms
TOP TO USA, FVEY
TOP TO USA, FVEY
7C 0 te oorces
I How to Discover Intrusions [using by?
and (paper)
I MHS INDEX Foreign CNE Discovery Page
CNE Discovery
I CSEC and GCHQ DONUT (unknown protocols):
- GCHQ Discovery Posted some Research of Detecting Man-on-the-Side
Attacks:
GCQH Disco Team posts for different Intrusions and some Details:
- The GCHQ DISCO team also posts Discovery Theories they run once a
week:
Afternoons
i XKEYSCORE Fingerprints
TOP TO USA, FVEY
TOP TO USA, FVEY
7C 0 te oorces
I How to Discover Intrusions [using by?
and (paper)
I MHS INDEX Foreign CNE Discovery Page
CNE Discovery
I CSEC and GCHQ DONUT (unknown protocols):
- GCHQ Discovery Posted some Research of Detecting Man-on-the-Side
Attacks:
GCQH Disco Team posts for different Intrusions and some Details:
- The GCHQ DISCO team also posts Discovery Theories they run once a
week:
Afternoons
i XKEYSCORE Fingerprints
TOP TO USA, FVEY
Elle Edit
TOP TO USA, FVEY
. Success Stor
Using TAO?obtained Iranian implant keys, inlin
using XKS microplugin keylogger data!
Ei new liturgy- Elan: I-trn ants
CLASSIFICATIDH: T0 ?545;. ALIS.
Wile
- HS
IDQIE Help
?it?n?l IE nudltacl fur 15 ENE. Hl?hti A131:
GBH.
132:: viewer
DE-Ltl-Zlii me
2011?03?23 15:51:23
Bess-inn Header
Case:
not
httpEJIJ-Hcs-central .cnr-p .nsa .Ic aynutsmn pa:
Fran-I Tu PDT T1: Per: Prntuc: Length
Imn} Unllc-Li Sum-:5; .12325 tap 3203
Attachments Meta
Ivan?? 'r il- Tl'!
Quick
I??esemn
I: r??ittaeh ments
te-xt
He?nggerntt
Sui.?
id Find fingerprint
Find traffic. cm
7'3 3311:1163
1?d.132.1E?D.3d
Find aggliratinn
mailfwebmailfyaheu
Finti DFGW hash
TE-
?nti or ecesinn
Virus scan results
Using THT fernlatter
un k315wn_1 93 1
t3 unread: ?Edna-3 . Mail, - MeaLlLa Pirate-1:
E1 E1
FIIZD alwar Eiarn let:
The page at Bays:
Hurt-raid} ?Huh-nut Midi], Muxi11d
[Backup-ace] Ga [Eack?pace] [Eack?pace] [Right Alt] -
Messenger e2:-
5.1111 [space]
?e unread} Enheel Hail. mehrn' azilln Pirefex eh
Dune
THIEI: system audlted fur 13 and Human Act
TGP USA, ALIS, CAM. GER, MIL
a if?
TOP TO USA, FVEY
Elle Edit
TOP TO USA, FVEY
. Success Stor
Using TAO?obtained Iranian implant keys, inlin
using XKS microplugin keylogger data!
Ei new liturgy- Elan: I-trn ants
CLASSIFICATIDH: T0 ?545;. ALIS.
Wile
- HS
IDQIE Help
?it?n?l IE nudltacl fur 15 ENE. Hl?hti A131:
GBH.
132:: viewer
DE-Ltl-Zlii me
2011?03?23 15:51:23
Bess-inn Header
Case:
not
httpEJIJ-Hcs-central .cnr-p .nsa .Ic aynutsmn pa:
Fran-I Tu PDT T1: Per: Prntuc: Length
Imn} Unllc-Li Sum-:5; .12325 tap 3203
Attachments Meta
Ivan?? 'r il- Tl'!
Quick
I??esemn
I: r??ittaeh ments
te-xt
He?nggerntt
Sui.?
id Find fingerprint
Find traffic. cm
7'3 3311:1163
1?d.132.1E?D.3d
Find aggliratinn
mailfwebmailfyaheu
Finti DFGW hash
TE-
?nti or ecesinn
Virus scan results
Using THT fernlatter
un k315wn_1 93 1
t3 unread: ?Edna-3 . Mail, - MeaLlLa Pirate-1:
E1 E1
FIIZD alwar Eiarn let:
The page at Bays:
Hurt-raid} ?Huh-nut Midi], Muxi11d
[Backup-ace] Ga [Eack?pace] [Eack?pace] [Right Alt] -
Messenger e2:-
5.1111 [space]
?e unread} Enheel Hail. mehrn' azilln Pirefex eh
Dune
THIEI: system audlted fur 13 and Human Act
TGP USA, ALIS, CAM. GER, MIL
a if?
TOP TO USA, FVEY
H.101
1,3,2? TOP TO USA, FVEY
I ma {?053ng
?m
333nm
ms.
- MHS Index Team
-@nsa.ic.gov
0 RESSION
- NSA/Countering Foreign Intelligence
NTOC
- XKEYSCORE
TOP TO USA, FVEY
H.101
1,3,2? TOP TO USA, FVEY
I ma {?053ng
?m
333nm
ms.
- MHS Index Team
-@nsa.ic.gov
0 RESSION
- NSA/Countering Foreign Intelligence
NTOC
- XKEYSCORE
TOP TO USA, FVEY