OCR of the Document

View the Document >>

National Security Agency, SPINALTAP: Making Passive Sexy for Generation Cyber, undated. Top Secret/Comint/Rel to USA, FVEY.

TOP SECRET COMINT REL TO USA FVE Y oooo JH -- U FOUO SPINALTAP Making Passive Sexy for Generation Cyber TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y SPINALTAP o Extracts selectors from TAO SFC GCHQ boxes that should also appear in passive collection o Translates selectors from active context to passive context o Creates fingerprints to label passive collection related to endpoint-derived selectors o Automated o Scalable TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVEY SPINALTAP endpoint related WICKEDAMPll user endpoint related WICKEDAMPll network endpoint related WICKEDAMPll machinelD endpoint related WICKEDAMPll cypher_key endpoint related WICKEDAMPll attached_device SPINALTAP Serial numbers Hostmacs usernames machinelDs Browser tags usernames user@yahoo 2 129007 506 1 J ' user@yahoo 2 1 290074506 txt CODDCrBM i iJjUUL d i A Computer System o- O M a n v c t m i Gateway Model M-6884 Domain WO EKG Domain Role Stridalo C 1 o- O D 32 E F ej G ss H Key Name Key Name hkeyJotaLmachineltatalogsls1 hkeyJocaLmachinelcatalogsis1 hksyJocal_machinB softwars a hkeyJocaLmachinelsoflwareia hkeyJocal_machine soft are a h keyJ o c a l_im a c h I n els oftva r e a user@yahoo 1 230074506 txt ya CS E 10 ya C3p41ttl i5ip9nl ti 40 10 yahoo cam 30 40 1024 93 30 4099842 048 30 93 30195537 30 934331712 30040403 TOP SECRET COMINT REL TO USA FVEY TOP SECRET COMINT REL TO USA FVE Y 11% Selector Types Machine IDs Cookies Hotmail GUIDs Google preflDs YahooBcookies mailruMRCU yandexUid twitterHash ramblerRUID facebookMachine doubleclickID Serial numbers Browser tags o Simbar o ShopperReports o SILLYBUNNY Windows Error IDs Windows Update IDs Attached Devices IMEIs for Phones o Apple IMEIs o Nokia IMEIs UDIDs o Apple UDIDs Bluetooth User Leads User selectors from Cookies Registry and Profile Folders msnpassport google yahoo Youtube o Device Name Skype o Device Address Paltalk Fetion Cipher Keys Cipher Keys uniquely identified to a user o ejKeylD Network Wireless MACs VSAT MACs and IPs TOP SECPRET COMINT REL TO USA FV Y QQ hotmailCID STARPROC-identified active users TOP SECRET COMINT REL TO USA FVE Y Network Level Selectors putty winscp ARP Windows terminal services TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y Active Passive Map i XKS Fingerprints parse files collected from endpoint accesses and feed active_passive_map microplugin 2 Micro-plugin feeds SPINALTAP Database GUI SPINALTAP Database generates fingerprints 3 d I CNE irm Active Passive Map Analysts can query microplugin to see what selectors have been extracted for their target projects Fitter o o o o o o o o o n relationship_type I n p u t Source lACRIDMINI relationship _value serial_number_dell windowsupdateGUID windowsupdateGUID windowsupdateGUID yahooUser yahooUser yahooUser yahooUser yahooUser yahooUser realm _mid_GooglePREF realm_micl_GooglePREF TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y wSample Lifecycle DARKSCREW46 Machine Info relationship_type relationship_value Input Source serial_number_lenovo L3PW286 DARKSCREW46 DARKSCREW DARKSCREW46 hotmailGUID 0574A0786A9C6AD1 3CCDA29F6E9C6A60 DARKSCREW46 Last Collection limit 3 listed 2012-02-12 2012-02-08 2Q12-02-06 List All Collection Categorized Collection hotmailGUID 10F3D90D305A6CAA3939DBEA345A6CC3 DARKSCREW46 hotmailGUID 277D434B01A0648503DE4197O5A064E0 DARKSCREW46 doubleclickID 22bcd6191801009a DARKSCREW46 double clickID 22fd81 6a5401001 b DARKSCREW46 facebookMachine eOyyTZCGWhXJBtTsemghllfZ DARKSCREW46 GooglePREFID 3064562fddcfcd52 DARKSCREW46 GooglePREFID 59035ab896c931e1 DARKSCREW46 GooglePREFID 5f234c7ac7381e2f DARKSCREW46 hotmailGUID E9C7006D5F1F49D633EBF805FE18FE17 DARKSCREW46 yahooBcookie 2amrd0t7h2hcs DARKSCREW46 endi oiiit i ielrte rDARKSCREW4 tisei nsa cneAfflhooUser Fm IP r To IP Sigad Application Type DS- O0X mail DS- MX Clint DS- 00X chat I E DARKSCREW46 i jmachinelD j insa J j cne GooglePREFID hotmailGUID serial_number y ah'ooHcooliie F I J j user j _jnsa J j cne skypeHash g-L- i ai i ar TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y Improving CNE Collection o Pushed for routine standardized collection of artifacts containing useful selectors to support SPINALTAP o Registry additions to SIGDEV survey to collect new registry keys and values o Files broad repeated cookie collection via additions to SIGDEV survey o Directories dirwalks already standardized no changes necessary TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVEYSECRET RELT SPINALTAP Fingerprints o31168 active fingerprints oFingerprints for 722 projects o488 TAO CNE projects o7 GCHQ CNE projects o227 SFC Forensics projects oFingerprints for 6188 unique machines attached_device fingerprints user fingerprints 1102 23173 machinelD fingerprints 5599 cipher_key fingerprints 1293 NSATAO fingerprints 29361 NSA SFC fingerprints 1745 GCHQ CNE fingerprints 61 endpoint related BOXNAME id_class agency_owner source id_type endpoint related STONEHENGE18 user nsa cne skypeHash endpoint related DEADDRUMMER10 machinelD gchq cne simbar endpoint related FREEFLOWERPEOPLEl attached_device nsa forensic appleUDID TOP SECRET COMINT REL TO USA FVEY Last updated 1 1 TOP SECRET COMINT REL TO USA FVEYSECRET RELT SPINALTAP Fingerprint Hits Since a c t i v J July 2011 Hits from 2087 unique fingerprint hits Hits from 1619 unique boxes 26% 8395 box id type si gad cpp 1-- Selectors from 26 of TAO Machine are seen in Passive Sigad AppID Fingerprints UKJ-260D endpointfrelated SIL USJ-759A endpoint related SILVl UKJ-260D endpoint related SILVERJU UKC-302A endpoint related SLYNINJAI UKJ-260D eridpoirit related SLYWlZARDI 6AjserAisa cne UKJ-260G endpijirit relatediSLVWlZARDI 6Ajserflisafcneft ahijijlJser UKJ-260D endpQirit ' relatedySLWVlZARD21 AjserAisa cne skypeuser UKJ-260D endpQiritAelated SPARTANFURY16AjserAisa cne ''skvpeuser DS-300 endpijirit relsrted STRAITLACED554Ajser hsafene lViahuQUser DS-300 endpoint relatedySWITCHDOWJ IR BR1 52yUserfrisa cnejVahciQUser DS-300 endpoint related SWITCHDOWN IR BR245iUsertisa cne vahQQUser DS-300 endpoinrt related SWITCHDOWN IR BR246yUseryhsa cnejVahooUser UKC-302A endpoint relatedn HIEVESQUARTER25Ajsertisa cne vahcioUser DS-300 endpoint related WATERCASKETI 03 tnachinelDAisa cne simbar Gil frc TOP SECRET COMINT REL TO USA FVEY ID ion oLast updated 1 1 TOP SECRET COMINT REL TO USA FVE Y Hits by Project Site o FOXACID o ATOMICMONKEY o DRINKMINT o DARKFIRE o Unique Machines Seen by Project ANCIENTBRE o SILVEF UMP o MUSH ROOM KING DOM o FIRESWAMP o SHAKEWEIGHT o OPTIMUSPRIME Top 15 projects o ATOM ICFI REBALL o WOLFACID_ZI NC o SWITCHDOWNJRBR o TOXICSNOW o DARKTHUNDER Unique Boxes Seen by Project Unique Machines seen by SIGAD 1619 unique machines seen At 68 different sigads Using 31 different ID types TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y mM a Application Exfil Opportunities NO lti LBgUIDggpEL Machines 1 G 1 00 1 30 1 iSa-is 1 72 22 1 92 1 8 1 92 1 68 6-0 1 8 1 92 1 gb 1 92 0 1 e 224 0 1 0 0 H Passive Access LIQUIDSTEEL Machines TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y Application Bearer Prioritization Home All O u e s t i o n s 50 All C A S N s v Survey C A S N s ASPHALT CASNs Snap C A S N s Refresh casntotalscore 1 topic weight i un inteival description valid length A HI inl V casn spinal C a s e n o t a t i o n ge p o i n t s for e a c h t E9DCJOOOOOMOOOO SPINALTAP correlation s e e n e a c h C N E projec casn 2CBAB0D000M0286 USJ-759A 166778 fingerprint USJ-759A 84634 E9DHL0U000M0000 USJ-759A 76044 5BBAK0D000MID04 USJ-759 BOBAJOOOOOMOOOO USJ-759A 35249 E9DFTOOOOOMOOOO USJ-759A 115091 18723 G6 B AD00000 M0100 USJ-759A 27832 2 C B ABOOOOO MU286 cne_re a t e d A N C I E N T B R E W 1 1 5 u s e r n s a y a h o o U s e r 2CBAB0O0O0MO2B6 cne_re a t e d C H O C O L A T E S H I P 2 u s e r n s a e m a i l 2CBABOOOOOMU286 cne_re a t e d C U D D L Y B A D G E R 1 6 u s e r n s a y a h o o U s e r 2CBABOOOOOMU286 cne_re a t e d D A R K T H U N D E R 8 4 u s e r n s a y a h o o U s e r 2CBABOOOOOMU286 cne_re ated DISTORTAFFECT1 user nsa yahooUser 2012-02-12 2 C B ABOOOQO M 0 2 8 6 cne re a t e d D R I N K M I N T I 5 8 u s e r n s a y a h o o U s e r 2012-02-04 2CBABOOOUOM0286 cne re a t e d D R I N K M I N T 1 9 5 u s e r n s a y a h o o U s e r 2011-12-20 2CBAB0O0O0MO286 cne re a t e d D R I N K M I N T 3 2 2 u s e r n s a y a h o o U s e r 2012-02-03 2OBAB0O000M0286 cne re a t e d D R I N K M I N T 3 5 0 u s e r n s a y a h o o U s e r 2012-01-27 2 C B ABOOOOO M 0 2 8 6 cne re a t e d D R I N K M I N T 3 8 4 u s e r n s a y a h o o U s e r 2012-02-01 2 C B ABOOOOO M 0 2 8 6 cne re a t e d D R I N K M I N T 4 1 O u s e r n s a y a h o o U s e r 2012-02-03 2 C B ABOOOOO M 0 2 8 6 cne re a t e d D R I N K M I N T 4 2 0 u s e r n s a y a h o o U s e r 2012-02-12 TOP SECPRET COMINT REL TO USA FV Y 5BBAKDD000M0000 USJ-759A 26019 NFH116400280000 USJ-759 150 NFDJGOOOOOM4147 USJ-759A 27580 NFH111717504144 USJ-759A 19874 TOP SECRET COMINT REL TO USA FVE Y Application Target Relationships Histogram Grid i f Page o Iter 1 of 1 c Clear Selection Export Input Source Count WOLFACID_PRECIOUS5 82 DOUBLETAP23 45 DOUBLETAP14 33 WOLFACID_URANIUM1 24 WOLFACIDJODINE1 16 WOLFACID_PRECIOUS4 13 WOLFACID_ARGON3 12 WOLF ACID JRON10 12 Interactive Mode ATOMICFOG4U OFFICELINEBACKER1 05 OFFICELINEBACKER90 DOUBLETAP11 WOLFACID_BARIUM49 ejkeyid f t Help Actions State 0 s in Reports T View T I Map View Datetime 255 2011-12-14 23 53 00 lut payloatlfile cne techiiitiue unitedrahe cyhei cyliertinest ciio activity hit payloatH leader parsed encryption 1 214 2011-05-20 18 41 00 tint i ayloa l iile cne tecliiiiiine imitetlrahe cyltei cyltertinest cno activity tint payload 'l leader parsed encryption 1 I 215 2011-05-20 20 08 00 tint pavloatl file cne techiiitiue unitedrahe cyltei cyltertiuest cno activity hit payload 'l leader parsed encryption 1 I 4M 2011-11-03 18 31 00 I 85 85 2011-11-30 21 42 00 tint payloatl tile VPII -Site to Site VPII More Setup titles subjects or filenames cciie Discouery Mol ileTerms C' 24 2011-10-25 10 59 00 tint i avloatliile cne techiiitine tlainlersi ritz cy1 ei cyl ertinest ciio activity tint payload lieader parsed encryi tio 244 2011-10-25 20 00 00 tint pavloatl file cne techiiitiue danderspritz cy1 ei cyl ertiuest ciio activity tint payload lieader parsed encryptio 257 2011-10-25 20 07 00 tint pavloatl file cnetechiiitiue dantlerspritz cy1 ercyl ertiuest cno activity tint payload lieatler parsed encryptio I Highlights FILTERS ID I o o oo o T AppID Fingerprints cliit pavloatl file cne technitiue unitedrahe cyhei oocyliertiuest cno activity tint payloatl l leader parsed encryption 1 TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y Application Selector Discovery i n i Home X Adnnin MyXK5 Users o Search fl Workflow Central Results p j Fingerprints -- Tagging Q Statistics -- Tasking @ Map tf Help T Note I c o n s on this p a g e r e p r e s e n t c a t e g o r i e s of s e r v i c e s e g w e b s e a r c h e s V o I P b r o w s e r s p r o v i d e d by e s t a b l i s h e d c o m m e r c i a l firms T h e y do HOT identify t a r g e t e d firms Navigatic ip Address HHFP t' i t i i i i Country 13c8eea4 City 1 9 Start 2012-04-27 14 46 46 Duration KARACHI Stop 2012-04-27 14 49 21 Sigad s pk 3 min s C a s m o t a t i a n s PKCSE039LOOI PKCSEO39K00 UKC-302A Active User s High Yi Fingerprint ciefeat atrouler Yahooflnsicler client ad get defeat atxksfyahoo insider client ad get Type Page Title Host Count host insider msg yahoo com 1 host us aiiserver yahuu com t_ file C Documents%20an 1 endBoirt Velated atomiGmonkov372 machineidrtisaJcne simbar S3 Topic Hits -a O -a Browsers User Agent mail webmail vahpo Moiilla 4 0 compatible MSIE 6 0 W i n d o w s WT 5 1 SV1 i t Page 1 of 1 i Displaying 1 - 4 of 1 t t X - 3 A c t i v e Accounts i i i i i t I M i Page 1 of 1 Displaying 1 - 2 of C Web Searches @ -- 0 Targets Content Hits A Image Client IP 3 S Con- Client GEO Leaker IP p VOIP ENESIS PK KARACHI 24 67 67 ti SSH Page nn 1 of 1 k i 55L All Accounts User e S 3 Displaying 1 - 1 of 1 kyahooBcoo Role State unknown active TOP SECPRET COMINT REL TO USA FV Y n r n TOP SECRET COMINT REL TO USA FVEY REENABLE Application Mitigate V active user Collect idjype machine_name qjechnique slgad opportunityjype unique_cou yahooUser TOXICSNOW72 QDIRK USJ-759A CONFIRMED 26 yahooUser ATOMICMONKEY330 QDIRK USJ-759A POTENTIAL 5 yahooUser SLYNINJA150 QDIRK USJ-759A POTENTIAL 4 OKJ-26CO yahooUser SLYNINJA150 QDIRK USJ-759A CONFIRMED 27 UKJ-26CO yahooUser SLYNINJA151 QDIRK USJ-759A CONFIRMED 3 OKJ-26CO yahooUser MUSHRQOMKINGDOM143 QDIRK USJ-759A CONFIRMED 2 yahooUser ATOMICMONKEY200 QDIRK USJ-759A UNKNOWN 1 facebook OFFICELIMEBACKER21 QBISCUIT DS-300 CONFIRMED 2 UKJ-260C yahooUser SW1TCHD0WNJR_BR154 QBISCUIT DS-300 UNKNCWN 1 UKJ-260 yahooUser SPARTANFURY35 QBISCUIT DS-300 CONFIRMED 2 yahooUser OPTIMUSPRIME222 QBISCUIT DS-300 UNKNOWN 2 yahooUser SPARTANFURY64 QBISCUIT DS-300 UNKNOWN 33 OKJ-26CO facebook STRAITLACED435 QBISCUIT DS-300 UNKNOWN 3 UKJ-260cl yahooUser WATERCASKET88 QBISCUIT DS-300 UNKNOWN 11 UKJ-26CO yahooUser SPARTANFURY35 QBISCUIT DS-300 unkncwn 2 facebook DOUBLETAP27 QBISCUIT DS-300 POTENTIAL 2 yahooUser WATERCASKET103 QBISCUIT DS-300 UNKNOWN 6 OKJ-26CO yahooUser WATERCASKET27 QBISCUIT DS-300 UNKNOWN 15 LIKJ-26CO yahooUser OPTIMUSPRIME353 QBISCUIT DS-300 CONFIRMED 11 Sigad UKJ-260CI UKJ-26CU i 2012A 1 11 0KJ-26CO OKJ-26CO UKJ-260CI o8 00 L 2012 01 04 09 05 2011 12 102 13 47 3 2011 11 28 22 54 OKJ-26CO OKJ-26CO UKJ-260 3 2011 11 28 20 27 5 2011 11 13 07 56 UKJ-260 UKJ-26CO OKJ-26CO yahooUser SPARTANFURY35 QBISCUIT DS-300 POTENTIAL 1 yahooUser OPTIMUSPRIME353 QBISCUIT DS-300 UNKNOWN 7 yahooUser OPTIMUSPRIME353 QBISCUIT DS-300 POTENTIAL 9 yahooUser SPARTANFURY35 QBISCUIT DS-300 CONFIRMED 1 yahooUser SPARTANFURY45 QBISCUIT DS-300 CONFIRMED 14 IJKJ-260 I UKJ-260CI UKJ-26CO TOP SECRET COMINT REL TO USA FVEY 3 2011 11 12 10 12 2011 11 03 11 40 3 2011 10 11 12 18 TOP SECRET COMINT REL TO USA FVEY REENABLE Application Miiigaie Collect Combine XKEYSCORE Map Reduce Results QTM Opportunities with GMPLACE Callback Analytics Lost Implants I OUAHTUM_DatJl Jse ui QimiitumReeimltle - I Last updated Thu May 31 09 57 24 0000 2012 Show 25 3- I' eim ies Refresh J J iictive_usei _i l fi oinj oiT TO_ OlT i l_ty e machinejiame o oituiiHy_ty e technique sigad last_calll ack 5050 3139 yahooUser ATOMICMONKEY108 UNKNOWN QBISCUIT US-3171 2012-04-08T10 42 30 000 00 00 80 45527 yahooUser DARKFIRE1 086 POTENTIAL QBISCUIT US-31 71 2012-04-04T03 16 14 000 00 00 80 4687 yahooUser ATOMIC MONKEY496 POTENTIAL QBISCUIT US-31 71 2012-04-08T10 37 00 000 00 00 65080 80 facebook DARKFIRE1 082 CONFIRMED QDIRK US-31 71 2012-04-13T06 32 17 000 00 00 33966 80 yahooUser ATOMICMONKEY496 CONFIRMED QDIRK US-972U 2012-04-08T10 37 00 000 00 00 15577 80 yahooUser COBALTGUPPY36 CONFIRMED QBISCUIT US-3171 2012-04-16T10 31 57 000 00 00 TOP SECRET COMINT REL TO USA FVE Y Future Work o Further automate extraction fingerprint creation currently weekly o Provide access to SPINALTAP DB via GUI o Support for new ID types o MAC addresses o Expansion of SFC related fingerprints o Expansion of 2nd Party CNE related fingerprints o Deprecation Expiration of fingerprints o Improve private network identification o Provide as enrichment source to other tools TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y H i t s - A l l Projects YELLOWFAN WOLFACID_ZINC WOLFACID_TIN WOLFACID_LEAD WOLFACID_JU PITER WOLFACID_IRON WOLFACID_CHILI WOLFACID_BARIUM WOLFACID_ARGON WOLFACID_ANISE WITHEREDFRUIT WILDCHOCOBO WAXCHIP WATERWINGS WATERCASKET VEILEDMAGIC UPPERMUTANT UMBRAGESPIDER TROPICALSTORM TOXICSNOW TOTALDAGGER TOADYTEAL THIEVESQUARTER SWITCH DOWN_IR_CD SWITCH DOWN_IR_BR SWITCH DOWN_IR_AW STRAITLACED STEELSKY_GOLF STEELSKY_FOXTROT STEELSKYECHO STEELSKY_DELTA SPIKEYFARM SPARTANFURY SNAPKEY SLYWIZARD SLYSNOW SLYNINJA SKYJACKBRAD SILVERJUMP SILENT_TONGUES SHATTEREDSHIELD SHAKEWEIGHT SHADYNINJA SCARFSLOOP SANDPALACE ROLLEDHAT PRETZELDOG PLUMREVOLVER PHANTOMSTARFISH PARLAYBUFFET OPTIMUSPRIME OFFICEQUARTERBACK OFFICELINEBACKER OBSCUREBLAZE NATIVEFLORA NAPALAN MUSHROOMKINGDOM MIRACLEMAX MILKSTEAK MIDNIGHTSCORPION MICEFUR MAXRANKLE MAGNUMOPUS_CC MAGNUMOPUS LUTEUSASTRO KUKRISTEEL KOOPATROOPA KIDSHIP_AA JEEPFLEA_MARKET JEEPFLEA JEALOUSJOKER JAVAFRESCO INDEPENDENCEPIE IMPUREHOLSTER ICEBLOCK HORSEWRAP HASTYCOBRA HAMMERBROTHERS GOODMONKEY FURRYEWOK FREEWOODENSTICK FREEWINDSHEAR FREEWINDCLOUD FREEWHEELNUT FREEWHEELCOVER FREEWAYPOINT FREEWAVECREST FREEWATERTOWER FREEWATERTANK FREEWATERGLASS FREEWATERBED FREEWARRIOR PAINT FREEVINYLMESH FREETWINBEE FREETRUEPINBALL FREETROUTSTREAM FREETRICKYKICK FREETINYTANK FREETIMESHARE FREETIMELEGEND FREETICKETBOOTH FREETHUNDERCLOUD FREETESTSHEET FREETANKSTAND FREESTOR AGER OOM FREESTONESHIP FREESTATEWARD FREESPEEDTRAP FREESPACEFLIGHT FREESNOWSHOVEL FREESNOWCLOUD FREESMOKESCREEN FREESMALLSPACE FREESLOWFAST FREESINEWAVE FREESHORTPASS FREESHORTCARD FREESEADADDY FREESCREENDOOR FREESCHOOLLOCKER FREESASHCORD FREESALTTRUCK FREESAFEKEY FREEROCKSONG FREERIPPINGBLADE FREERIGHTWHALE FREER ID EAROUND FREEREDSTAIN FREEREDSHIRT FREEREDMARKER FREEREDERASER FREEREDBEER FREER AVENTICKET FREERAINCLOUD FREEPULLCHAIN FREEPUFFYCLOUD FREEPOWERFAILURE FREEPOSTMARK FREEPONGPLAYER FREEPLASTICCASE FREEPINEPLANK FREEPICKLEBRINE FREEPAINTBALL FREEOUTRUN FREEOLDBIKE FREEOILPAINT FREEOILLEAK FREEOBLIQUECASE FREENIGHTTRAIN FREENAVYBLUE FREEMINTJELLY FREEMINETUNNEL FREEMETALSHARD FREEMETALFILE FREEMETALCRATE FREEMARBLEBASIN FREELOLLYPOP FREELINEDOWN FREELIKESAME FREELIFERAFT FREELEADSINGER FREELEADSHOT FREELANDLINE FREEKNOCKOUT FREEKINGSPAWN FREEKIDPOOL FREEJETFUEL FREEHOOPDREAM FREEHOOKHANDLE FREEHOMEBASE FREEHAVEFUN FREEGLUESTRIP FREEGLASSTUBE FREEGEMSTONE FREEFRIEZEFRESCO FREEFLOWCHART FREEFLATFIBER FREEFILEDELETE FREEFIBER BOARD FREEFASTCAR FREEFAMILYTIE FREEENERGYTAX FREEEMUFARM FREEDOVETAIL FREE DOM ECU PO LA FREEDOG CRATE FREED ISKBRAKE FREED ISCOVERY FREEDIRTYTRICK FREEDETOURSIGN FREEDEADBATTERY FREEDATALOSS FREEDARKSUIT FREECRUSHEDDISK FREECREEKMOOR FREECORNMAZE FREECORNHUSK FREECOLDTEA FR EEC LEAR TAPE FREECHESSBOARD TOP SECPRET COMINT REL TO USA FV Y FREECHERRYCOLA FREECEMENTBLOCK FREECATBOX FREECANESUGAR FREECANALLOCK FREEBUTTERCLOUD FREEBRASSBRUSH FREEBLUEMAT FREEBLOWNTURBO FREEBLOODYWOLF FREEBLACKCLOUD FREEBITTERCLOUD FREEBIGBOSS FREEBEACHTREE FREEBATTLEZONE FREEBALLROOM FREEBADRENT FREEBADFIBER FREEBACKGAMMON FREEARCADEZONE FREEAIRFARE FREEACIDRAIN FRANTICDANCER FOXBASE FOXACID FIRESWAMP FIREEATER FIREBRUSH EMPTYMOCHA ELECTRONSWORD EFFABLELAMBDA EDITIONHAZE DRUMBEAT DRINKMINT_AA DRINKMINT DOUBLETAP DISTORTAFFECT DIRTDIVER DETASSELJANICE DEPUTYSHIP DARKTHUNDER DARKSCREW DARKRAZOR DARKRAVEN DARKINTENT DARKHELMET DARKFIRE CYGNUSOLOR CUDDLYBADGER CRYPTICSENTINEL CRISPWARE COCOAMELTDOWN COBALTGUPPY CHOCOLATESHIP CAFFEINECRASH BULLETTOOTH BROKENTHOUGHT BLOODDIAMOND BLACKMESA BLACKAMETHYST BEEFCAKE BEDOUINSTRIKE BACKSNARF AZTECTOMB ATOMIC STRIKE ATOMICPUNCH ATOMICMONKEY ATOMICFOG ATOMICFIREBALL ATOMICCANNON ARMOREDCONDOR APACHERIVER ANCIENTBREW AFTERYARDARM AFTERWINDBLOWN AFTERWAYBACK AFTERTREEFORM AFTERTANKERTRUCK AFTERSHORTRUN AFTERRICHGEAR AFTERLASTTEAM AFTERGASSTATION AFTERDOGHOUSE AFTERCLIFFDIVE AFTERBOOTSOLE ACRIDMINI ABSOLINE DELTA AARDVARKSTAKE TOP SECRET COMINT REL TO USA FVE Y Contributions S32361 S31322 TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y r g Windows Error Reports o Windows crash reports in passive - Identify application crashes on TAO targets o Another data point to correlate active passive collection o Identify applications of interest on TAO machines - Track 4th Party tools o Crashes from attributed dlls identify targets of foreign CNE o Analytics may be able to highlight suspicious processes TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVEY Windows Error Reports Detailed error and target system info for troubleshooting tracking and maintenance Event Type Exception Code Exception Offset Fault Module Timestamp Count APPCRASH cOOOOOOS 01cb3aa6 411096b4 8 APPCRASH CU000G05 01903aa6 411096b4 6 APPCRASH cOOOOOOS 03573aa6 411096b4 6 APPCRASH cOOOOOOS 047b3aa8 411096b4 6 APPCRASH CU000G05 01 bf3aa6 411096b4 4 APPCRASH cOOOOOOS 03993aa6 411096b4 2 BEX 00653aa6 cOOOOOOS 411096b4 2 BEX 01 e13aa6 cOOOOOOS 411096b4 2 BEX 01 f63aa6 cOOOOOOS 411096b4 2 BEX Q3Q83aa8 cOOOOOOS 411Q96b4 2 BEX 03bd3aa6 cOOOOOOS 411096b4 2 BEX 0ca13aa6 cOOOOOOS 411096b4 2 System Manufacturer System Product Name BIOS Version Count - Application Version OS Version Count FUJITSU SIEMENS AMILO Pro V2040 R01 -A1B 30 8 0 7800 18800 6 1 7600 2 00010100 0 0 1 18385 30 Hewlett-Packard Presario CQS6 Notebook PC F 05 14 8 0 7600 16869 6 1 7600 2 00010300 0 0 11 16365 14 TOSHIBA SATELLITE U500 1 50 6 8 0 7600 16385 6 1 7600 2 00010100 0 0 1 18385 8 TOSHIBA Satellite C640 1 50 3 8 0 7600 16839 6 1 7600 2 00010300 0 0 3 16385 6 PRG311OH 86A 0065 2 2 8 0 7600 16869 6 1 7600 2 00010300 0 0 3 18385 3 6 1 7600 2 00010100 0 0 1 16385 2 6 1 7601 2 00010100 1 0 48 17514 2 Hewlett-Packard HP Mini 110-3700 F 23 2 8 0 7600 16869 TOSHIBA Satellite L300 1 40 2 8 0 7601 17514 TOSHIBA Satellite L635 1 40 2 TOSHIBA Satellite P105 V3 30 2 Dell Inc OptiPlex 755 A09 1 System manufacturer System Product Name 0701 1 - IE8 TOP SECRET COMINT REL TO USA FVEY Windows 7 TOP SECRET COMINT REL TO USA FVE Y Crashes on TAO Targets SLYNINJA1 51 Value Name Value Type Display Content errorport REG_SZ IWindowsErrorReportingSemcePort rnachineid REG_SZ rnaxqueuesizepercentage REG_DWORD 00000001 purgethreshholdvalueinkb REG_DWORD OOOOOOOA servicetirneout REG OOOOEA6U DWORD Registry keys from CNE Error report in passive SLYNINJA151 G E T S t a g e O n e G e n e r i c B E X A e x p l o r e _ e x e 8 _ 0 _ 7 6 0 1 _ 17 5 1 4 4 c e 7 9 9 1 2 T E B H O _ d l l _ u n l o a d f J 0 _ 0 _ 0 _ 0 4 e 4 1 7 8 b 9 6 0 3 f l 4 3 0 c 0 0 0 0 0 0 5 0000000S htm LCID 30Sl OS 6 1 7601 2 00010100 1 0 1 17514 BV F 03 S M H e w l e t t - P a c i t d S P N H P Pavilion dtn3 N o t e b o o k P C HTTP 1 1 Connection Keep-Alive User-Agent MSDW H o st V a t s on m i c r o s oft c o m SLYNIWJA151 Passive access to CNE target Application Name Sigad Casenotaitior iexplore exe USJ-759A E9DCJOOOOO tlOOOO Fm IP AcroRd32 exe USJ-7S9A E9DCJOUOUO Flash Games exe USJ-759A E9DCJOOOOQ HOOOO rtoooo TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y rA Windows Error Reports Similar work completed for Windows Update o April 2012 o 2827 Windows Update and Windows Error IDs from endpoints o 17 CNE Machines found in Passive 8 for the first time for other 9 it's the first time with MachinelD Crashes from 4th party Tools o At least one crash report from a likely 4th party found o Ingesting into The Cloud for Whizbang analytics o Crashes from target networks o Crashes of uncommon dlls o Crashes of known 4th party dlls TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y m But Also Windows crash reports in Dassive - Reveal crashes of TAO too on targets o Troubleshoot problems with AO tools o Identify OPSEC issues from epeated crashes Fault Module Name Datetime Application Name 2012-01 19 11 57 45 iexplore exe odll_unloaded 2012-01 19 11 57 45 iexplore exe dll_unloaded 2012-01 1911 57 45 iexplore exe dll_unloaded 2012-01 -19 07 44 28 iexplore exe dll_unloiided 2012-01 -1911 57 45 iexplore exe dll_unloaded 2012-01 1918 57 11 iexplore exe dll_unloaded 2012-01 1919 57 47 explore exe dll_unloaded 2012-01 -1918 58 39 iexplore exe dll_unloaded 2012-01 -1918 59 48 iexplore exe dll_unloaded 2012-01 19 20 03 23 iexplore exe dll_unloaded dll unique to TAO VALIDATOR first-stage implant TOP SECPRET COMINT REL TO USA FV Y TOP SECRET COMINT REL TO USA FVE Y Aftermath Setup automated workflow for TAO VALIDATOR team to receive daily updates 10-30 crashes per day In a month -30 machines Pinpointed to o VALIDATOR 8 2 5 1 o VALIDATOR 12 o Win 7 32bit TAO ROC Mission Directors deciding way forward TOP SECPRET COMINT REL TO USA FV Y TOP SECRETHCOMINTHREL TO USAI FVEY TOP SECRETNCOMINTHREL TO USA FVEY                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu