plaintiff’s exhibit 30unclassified//fouo the overall classification of this presentation is: top...

Wikimedia Foundation v. NSA No. 15-cv-0062-TSE (D. Md.)

Plaintiff’s Exhibit 30

Case 1:15-cv-00662-TSE Document 168-34 Filed 12/18/18 of 22

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY - ~ -


UNCLASSIFIED//FOUO

The overall classification of this presentation is:


UNCLASSIFIED//FOUO


SECRET//COMINT//REL TO USA, FVEY ~

0 D ~

• A suite of software running on a Linux host • Classically, used for DNI processing,

selection and survey • A distributed hierarchy of servers at field

sites and headquarters • Extract and tag metadata & content from traffic • Servicing analyst queries and workflows

• Web and programmatic front-ends

SECRET//COMINT//REL TO USA, FVEY



~ ~UJJil

l XK Meta-vrewer: :::n;1rea Dy f61.0065:C;rtegory Hit:: at 670 - P.10:111a Frrerox - c X

( 1£1 ESS1377: SIOTodi:iJ' f;J; 1/2'1 ... x [ ~El111:!r11ct · Viiki_;.1c1Ji;,,, IJ11:! rr':!' ... x [!«. Mi' Siyuoluil:!S

I '1::.v1;;::.11on 111cr

··r=l S..-"'~·hVI,; o.u:

6 ·C) f':'1=

··~ im ;.1 f\:c11es~es ··l':l i..\l :1;t...; Fil:l>

~ Ull n~ 1:1.1

··~ (El\' :QQ: I

··S \14:hin! lnf:11rMion

I[) 'I :Mork 1n·:11r Ml )n

··1:3 ~: ~it<.I~ 6·D r: 11ir.~ir.

:i ei \IU llSC::.rCh

3·~ :- ~~ic ~I =··1§1 .i:.~rt

~··~ ~I iCkBE If'!

~··r:l ~I L'-\1~ ~ I[) :;.,,:coor1 Uf'll ~··IEJ :e IUI ;,1 (Ill.I

~··1§1 '.".i~r.:: P11io.~·mr~,;. ~ I[) :.l ::.rent ~··13 :tJS

1··1§1 ~rJ1-n~n· f/f':t11rl~l11 ~··~ :Ocu-nen:-;,aa1n: l··r=l i II~ I 4J;lo:'li1:.o:'ll'

~ I[) ..;<trol :tea I II : ~ l·~ : .. 11.0~ (Ill.I ~··19 :>~t'l ln'r.

~ I[) 1111 ' ACO'lll'/

1··13 KE P~ ~..-1 1··1§1 <~yl ::91)t:" ~··~ -00 nc and ~;,~c.-v:rd

•

=

• •-.~1-~· ~==,~;~· ~· ~· -·~·~--.~r

0 0lllci

XKCVSCORC \V~k°;r.TW"<

F rte· Fll ~)0 :.)UOI ...

IEI 4!&.14 I , 4

~ 11c1: Ae-:1o·s·

~Si;;i..J Fn.mr-ns..¥.Jn ETl'.'001 US9610

~:co-:s .. ·.;1c,·1· I ~t.t::.p\'cv, llLILUS: <>'P' .. O.¥' .. ~0:.>10! L-• Cio-·11A:1.iu·1 Fm IP ~-:: IP

IJ5? AAlttO S7

u.~8

L 1r.wr US-OSJU

ETl'.'C:O"r Us.9i8Jo•-=====

CTl'.'001 US-0610

Fn.mr-ns..¥.Jn·-===== ETl'.'001 US9610

U~B

U~B

U>lAAOCCB

I J5? AAlttO

u.~8

IJ~:IAAl•X:H

U~B

UiQAN1.X.8

I J5? AAlttO

u.~8

ETl'.'C:O"r Us.9i8Jo•-=====

L 11,txJ/ USOSJU

Fn.mr-ns..¥.Jn·-===== ETl'.'001 US9610

IJ~:IAAl•X:H

ETl'.'C:O"r Us.9i8Jo•-===== U~B

•

S1

>I 57

S1

57

S1

" 57

>I 57

S1

,,., <!3llt

r.g :;ut

I Tu Put

tr.;:M ,.,. mu

2~1!53 ,,.. "'' '~t11R ,,., ,.,.

;1;~16 :1~1

2~31'1]

<!Jt.14 "'' '~tr41 ,,., ,,., ;1;~16 :~l!>IJ

2~1D8.S

~I

~ llCI: •

1 :1!'1(ll::y1n~ •.I M1

F 11 :::.1u11t·1(I F11Cit:t(l~:1 I F11 U...ituJ: ( :m .u·1yitu::11

T::C\.ouull)' (111

TuCit:t (IP) Tu

FP. F£1lffV~UF~OR 'J' FR NFIJ!ffV~UF .s1· ..

•• NEU!LLYSUF .. e.se llT FR NEUILLYSUF ·18

I It NLU!LLVl:iUI· ~~ 21.( "' NLUILLYSUI· -18

FP. . EO!CLY9UF 48.88 227 ... NE Ul(('fSUF # -rR NCU!LLYSUF 48118 llT m NCUILLYSUF -18

FP. . FU!ffV~UF~OR ''7 ... NFIJ!ffV~IJF -SI


"' tJI 11!1 I VSIJI· .&HHH ;1 ;I( Ill NI IJll I YSUI· .IH

FP. . EO!CLY9UF 48.88 227 ... NE Ul(('fSUF #

I It NLU!LLVl:iUI· ~~ 21.( '" NLUILLY~UI· .W

FP. . FU!ffV~UF~OR ''7 ... NFIJ!ffV~UF -SI


"' tJI 11!1 I VSIJI· .&HHH ;1 ;I( Ill NI IJll I YSUI· .IH

FP. . EO!CLY9UF 48.88 227 ... NEUl(('fSUF # • •

ni~rl~yi·i;, .;l0rd1?4

sawa __ 8Clll9i5r.m33"13




• Let's try a search for suspicious stuff ... http_activity search, 5-eyes defeat, look for fingerprints:

ndist/discovery/heuristic/BHAM/get_with_ contentorhttp/get/with_content

• While the search runs, some gotchas: • You choose where your query is run • Content and metadata age-off • Burden is on user/auditor to comply with

USSID-18 or other rules • Geolocation based on IP




r~ - XK S@ss1onv1e111er·M ~Tnf'il '

~c ~<it Yi•" I li1:ory Qookmorks ]aol• Llelp

11 tttps./l><k>-cenlral.corp nsoJc gov 844J.IJCic=YSCOF.E~ayo-.t>JIXlpo...tlay:X.Cjsp?oageTr.le-Sessior lllewer6rC>YTU1-~21

[ts

oate:11ne ;..1:11. l)L..1 · 1Ji•4/4Q

This i:ydNri 110 Olud1ted ror U!iSID 18 and Human Rights Act CO'flplLillnce ( tA'-'*lt-IC A I •~N! S t-I • t- I ,/COl¥ll N l /1Rtl T 0 lJSA. AUS CD.N. GBR, WTL

Fron IP

X.-KEYSCORE C2C ~:s:!iion Vi::wt::r

TOIP

(0 1-'r111AfP. AinrF~ in

QuickClicks (f CZll'I /~CAvr.r l lT"l'P/1.:> 1---.c:-------~-..,;;c:. Un.r 111;1.nt 1 625)1033F'62IDl.::'2) ) J'D2C02'f02I:'iD02

'. "'Session .. A1,;1..:•Jr1l.. I '"/""

6 1«Ptll:::tl.;l1111~11lti HCDt : J.0 1 2 <168

8 ? urkn°'""'n <.c:ntent· i YQ&: lml)Lt:::at.1on/:<·mN·torn·urJencOOed 8 1 !till.. <.c::nnec:tJ.on: K&ap·.~LLVe

8 !({ one-::JI : 1: searc1· es

8 · ·· ~ind fingerprirt

······ ndls /CllscJ\•ery.·r ei.r s httplgc\l\vilh_ content

· · · ndls/CllscJ\•ery.·rei.r s Q find traffic on

.... ·.,:•-

1=1 - -- ~1nr1 Am u:;inrn

- h11plg c11".l .. Nm .. ro·n·url

8 - -- f:inrl rro"y h;i~t-

- Od00207

8 - .. f:ind WJiOSi:1 si:lt d s 1 ;1

:n~r< 10

=

=rem ::>01 To ::>01 Pro:OC) t.enon

11"1-fiK II ;"' '1'14

Cntcr text to :#CQIC"I

Notes: • Strange User-Agent • Probably NOT CNE but definitely something nonstandard

• Content: maybe a HTTP tunnel for some weird protocol? Reset from local . • •

• Should we write a Fingerprint?




LI • 0 cQ]~

• Useful for identifying classes of traffic or particular targets (for SIG DEV or collection):

mail/webmail/yahoo

browser/cellphone/blackberry

topic/s2B/chinese missile -• appid - a contest, highest scoring appid wins

• fingerprint - many fingerprints per session

• microplugin - a fingerprint or appid that is relatively complex (e.g. extracts and databases metadata)




-~ _Qrf®J

• Written in language called ''GENESIS'' (go genesis-language):

appid('encyclopedia/wikipedia', 2.0) = http_ host('wikipedia' or 'wikimedia');

fingerprint('dns/malware/MalwareDomains') = dns_ host(' erofreex.info ' or ' datayakoz.info ' or ' erogirlx.info ' or ' pornero.info ' or ...

• If a fingerprint contains a schema definition, a search form automatically appears in the XKEYSCORE GUI

• Power users can drop in to C++ to express themselves




• Many different searches • Base search is Full Log DNI

• Depending on traffic type, will generate searchable results for (example):

HTIP Activity Network GEO Info Information

Extracted Files Email Registry Addresses

Logins and Document Machine Info Passwords Metadata

• workflow - a user query that is run automatically usually every 24 hours




• Not all sites run latest XKEYSCORE software or fingerprints

• fingerprint submission: • XKEYSCORE team weighs mission-worthiness of user

fingerprints vs computational cost

• Content and metadata ageoff




• Lots of endpoint data flows into XKS TAO (no ECis), GCHQ (almost all)

• Other limited flows include SIGINT Forensics Center, TAO STAT

• XKEYSCORE works well for endpoint data • Sometimes the paradigm breaks (e.g.

collected browser history file)




• Payload types: dirwalk, extracted file, system survey, network config, captured credentials, registry query, key logger, etc.

• Labeled dnt_payload in appid/fingerprint ontology

• Let's look at some DANDERSPRITZ data ...




~ XK Sessio n V il!' w l!'r - Mo:Ll lla FlrerOil - - ~' )..'.

Thu1 "J.J...--.n i.;dud 1trd ~o..- USSIO lB n n d H " m"n R11;1ti l >; At.I, rs1pl'-t1•r CL.ASSlrlCATION. TOP SCCRCTf'COHINT'.l\Cl TO USA AUS, CAN, GDR fill

X·ICEYS(X)RE C2C Sesoion V"lt"wr

c:a.1rt F<:nP fr0'9 P::r. Tc: :on P"O'.ot.:f L.:.ngm

2 ll :. o04-:. ~ C2:06:12 X'IMJ~ - -=------11

: 0014

Seaa.ion L Heed:ra, \I \lcla :-i1 I I~-

OuitkQicls

1« 5t,a:r Blil:

.J 1 1na 11"1QCr:r nt

tx111:txi:t r1n1 n:a 11=roc e '=3 ElndlrGfllt,cn '

~ f log NiQl!rm o'

' :J 1-1nd o::cocrt t 11::1e ot ctcc o :C • .,

••

Done

<Process erootitnTX.C-' 23J: · 34· OS:T€0: 31 :Ol'J.G3125000~" dc:;c riotiM-' .. ni1io." • .. Pidd- :.i2 ').ls QSi .cx:-cjP rott:SS> <l'rOCff~ CrBit1tflTUl8=. 2:n: ::>'I o~ 11~0: 11 :: , .;.1.:$•111~ OU.ii" CIKC nptl•lr' ... 01.111 ... pld'". b~!t' pp>d• '1'10 'l"!:\'Ch:l61. ~e-'!/l'COC!£P .... ?rOttSs ereattmTi.e: • 233: . 33. os-reo: 37 :lol. 78125000J.l" e1esc rtptlon-· : 01111"." pld• • 11s· Pldd• ·.wo ·~l'Ch::i&"1 . ~et".'?r0tts:s~

<l>rn1:r.s~ c......., t imT i.,.." ?'.'ti • • ~-0\Tf.O: 'U: 1\. '!~ !i'U~Ot)!')" d~r; 1 i 1rlJ D1• • • n i I i,{ " p l•I•' 11t;t' 1•11ill• '440 ·-\·1 h" I. .-1:K..'Prt11~0 <Prt11:r.s,; c......., t imT i.,.." 1'.'tl . . '.')J. 0\Tf.0: 'U: 1fi . .JR4'U~0t)!')" d~r; 1 i11l.iD1-=i1 ' • ni I i1t" " p Iii• ' 1\44' 1111ill• '440 ·r.111 • ,.,;KIPi~o

..:?roc.ess crcatitnTU.C-' ?:>J: • )4. OSTCO: 71 :40. 70Jl~JOO:>" dC3c: ription-' : nL11o"." p ld .. ' OG:>' pp:id .. '440 ':.-s\·ch::is1. :xc:..:.'?roc.ess..:Proocss c:rootionTU.C-' 2~: · ::>4· OS TEO:~ :.fl .39052~00:>" dc:ic riptie"'" ' : nl11o"." p ld .. ' 81)S' ppjd .. '440 ')oS\•ch~1. :::>ic<,'Proo::ss> -:!l'rCICff£ Cr&itlCflTUIEI=' 2:ilJ: ::n o~ 11~0: -SJ :<12' JJl:JhUOUJ" Clesc n.pt;l.Gll'" . • n111a ... Pld"'. Vb1' P!Od"" '1'10 '><C~YO-f t .E>:e..:tProce£J.' ..:11roeiee:£ Cr&itlCflTUEl=':!:ilJ: ::n o~ 11~0: -SJ =~·1.:.:1:116UOUJ" Clesc n.pt;l.Gll'" . • n111a ... ,111 .. •• s~· pp:ld• "'l1U""f po:>LfV .E>:e..:tProce£J.' c'Prottss creat1c11T111e= • 2;o: . JQ. osn::o: 37 :S>l .e£OSJS OOJ" Clesc rtpt10A11 · : n111a·." pLd•' : '48 • PP:ld• "ll40'":ofls atx: .e>'.ec' /Pr«es:S":> <Pr111-r.s\'li t:rNSt imT i.,.. ' ?'.'ti" • ~. O\Tf.O: 'U :"i 7. 171 'U~Otl:'I" dl'!~r; ri1rl IDI• ' • 11i I l1t" " p l•I•' ' 4~" 1•dda"441'1">rhlR~ .FICFo:.;'Pr1:c:r.ti.-o ..:?roc.ess crcoticnTino-'2:>l: · )4. OSTCO: 71 :51. 7l07J000)" dC3c: ription-' : nL 110·." t ld .. ' : SXl' llOid .. "440":..'vc-.::' t .eY.c:..:IProa:s~ ..:?roc.ess crcaticnTi.no-'2:>l: · )4 · OSTCO: 71 :50.ClG:J7J00)" dC3c: ript;lon- ' : nL 110·." t ld .. ' : Sl2' llOid-"440":..llPL~c -Je1Scr\>ic: .cxe-.:/Proccs · <Process crooticnTi.ac-' 2Dl: · ::>4 • OSTUO: 3s: :00.€2SZGOOOD" dc:ic ript;le"'" ' : nl 110'." fld'" ' : 530' 1111i d-"4.f0")oHPSls\'c .c>:c<trroa:ss> -::11roeiee:s Cr&itlCflTUl8='2:JJ: ::n o~ 11~0: ::Q:I :ou. J~UlkUUUl.I'' Clesc n.pt;l.Gll'" . • n L 11• ... ,111 .. • ! b:JJ . pp:ld .. "'11U"" l\11>U\J ... I .t.1.t--'./ .. rotES&.' c'Pr0ttss creat1c11T1.ae=' 2!0:. JQ .osn::o: ~ :01. ::i3'137SOO:>" Clesc r1p11ona· : n111a·." pLd•' :s20· pp1d•"ll40"~svc-.::s t .EXe<'/Process~ c'Pr0ttss creat1c11T1.ae=' 2!0: . :>a .osn::o: ~ :Ol .(12137SOO:>" Clest rtpt10All ' : n111a·." pLd•' !.84' • pp1C1•"(140"~1iHOS1SV:.fX~/Pn:uss:~

<.Prfll"F.S\'li t:rNSt imT ·~· 1:n . . ~ .O"iTf.0: ¥. :01., )"ir.OOf).')" lll'!:or< l:ri11I IDI• ' • 11i I 1 .. • " , •••• • • 11n · 1•• ld• "441'1";._.,. • 1: .. I . r->l"</P ffll:r.llo~

..:?~s crcaticnTi.111:- '2)]: ·:>4·0STCO: lJ :02.JOOXOOO:>" de3cription-' : nL1:lo'." t ld .. ' :G~' ooid- "4.fO":..!vc-.::,t.eY.c:..:IProa::ss:.-<l'roccss crooticnTiJic:... ' 200: . l)4 ·OSTUO: 3S :02.E2S 00000:>" dc3cripti o""' ' : n L1:lo'." , 111 .. ' : 7"3 • ooid-"4.f0")on :•13con.c>:c<lflroc:css> <l'rouss crooticnTiJic:... ' 200: . l)4 ·OSTUO: 3S :OS.G'-63iSOOJ" dc3cript;lo""' ' : nL1:la'." , 111 .. • :8)2 • ooid-"4.fO")o~vc-.::~ t.c>:c<lflroc:css> -::11rO<ff£ creaticnTue= '23.1 : ::n o~ 11~0: ::Q:I :o::s.11,:11,1,:;uoul.I" e1escn.p110""' · . n111a." pld'"' • V¥ • ppld•"'1<IU":-\'l'v.lre~er.·:.ce.ex~1•nxEs~ c'?rettSs creattcnTbe= • 2!0: . :>a .osn::o: 3C: :4. S62St!OOO:>" Clescrtp110All' : n111a·." p1d•' 211e: • ppld•"(l40'""svc-.::s t.EXe<'/Process~ <Pr111:mi>,,; c:r- t imT i_.,.. • 731 · .~ .Q"ilf.0: ¥.: · .ol.f!;J 'D'iOtl~" 1l-r;ri11I I DI•' • 11i I i1t' " pl•I•' 11.u'I ' 1• 1 l11•"111"4"'1JH~1.fXN./Pri:aa::'l!D'

<?r111:m1,,; c:r- t imT i_.,.. '?:rl . . ~ .Q\Tf.O: ¥.:. 7 .f!)"i;r.OQt)~" 1l-r;r i11I I DI•' • 11i I l1t" " pl•I•' ?'-ti ' 1• 1 l11•"?'4~1'',fll -:An? .fXN./Prtaa::'ilD> ..:Proc.ess crcot ictiTillo- ' 2ll: · )4 ·OSTCO: lJ: 23.CJlZiOOOJ" d~crip1i°""' : ni1io". •• tld .. ' 2G20 ' ooid-"G~G"~i:>n;s : .cxe-.:/Proo:ss:-<l'rous.s crooticnTUc:- ' 233: . :>4 ·OSTEO: 45 :47 .103~0SOJ" dc:;crip1i °""' ' : ni1ia".'1 f ld'"' :638 ' 1111id- "i0.J"•cxplcrcr .cxc<1rroccss> <l'r~.s. creot1cn·r ue= •23.1: ::n o~ 1<::0: 1'> :<11:1.e i°l:UJ/U;J" dffcn.p11M-' . n11l.a." pld"' ' • 1,e, • 1111:U1-"l:i<l•l">~nc:~1. ~~.' PrOOKt> <Pr~.s. creot1cnTue= ' 2::JJ: ::n Q~ lt:Q: 1'> :!1'1.bUl ~~OU;J" dffcn.p11M-' . nl.11.a." pld·· · iv~ · 1111:U1- " l\¥~'').VK.&rel ray. ~~111 r~t> c'?r«H.s ere.a ttt11Tue= • 233 : . )'I • os-n;o: lS : s 1 . '393:i860:r desc rtpt10M' : n.L 11a·." p ld11' 21!18 • 1111:1A1::a"l683'""V"'-E r e..ce r. ~e.t" /JI r«M.s~ <Pr...,.-:i; c:r-t- imT i_.,.. •131· • .'):I .MTf.0:41'!. :Oft. 7'i011!Ni&Y' d'l!:!lit r ip.I i- · • ni 1111° " p ldll ' .,..'\A' pp l1t."1flllill'".>c o 't'I'· ~r<!Pr....,,,.-,.;.

..:PrOCd.s crcctictiTUc- • :2ll: . )4.0S1t0;4€ :02.:tOJXJ:zoJI" d~c:ripti..,' :nt1::1.o·." , 14 ... ' 1S'.i' oo:id- 'lCGO'""..c"":f.:n. :xc..:.'PrOCds-

..:PrOCd.s crcct icoTUc- ' :2ll: . >l·OS1C0:4f: :OCi.E7SiS'9?0JI" dacrip:ti ..,' :nitio"." , 14, .. • 4S2' oi:dd- 'lCOO'"-A-:ps:n'i.:c .cx~itrcccss.-4'roct$.S cm::itit11Ti&- ' 2ll: . 34·0Sn'.0: 4E : : S .488)~2'03"' cksc:rip:ti ... ' :nitia". • JLd" • :Mll' ;oid--.:Jt)s..,,.co-.i.c.o:c<JPr.a:.ss> ~£ creat1t11Tue=0 ?3.J: ~ 01E0:,1:LJ • .,SSill-JJVT cJH.cn.ptl M"" .ru.11a ." , ...... J~' JP14--J¥.tr>cw.o.n. i!Ke-'"../Pr00Mie>-c';trOttS.s creaUtftTUE:=- ' 23l: .3d.OSTEO: SE:Sl.~97113903"' 4H<r1.P11 .... :ru.111' ... pl4• ' • 0!IO' pp'.)h"!9r..l 09="" .s:r<c'/Pttttu-:o c';trOttSs crea UUiT ue= • 23l: • 3d.: 1 r~: 2E :03. ~es Ol"' 6K< rtpUOM. • s t:lf1td"' pl.It• · N 1' · pp1"h-,:lr=oC.s ~;s . ~ /Ptttttt:o <>r~ c:n....t ia.Ti:..,:"131" -~·" 1171: "5 :O'!i .41tr~"iftY *"-criplj~· ~1 .. 1"r ,w.· ~1 "I\' ,.w.-•w~ •• •:.,11 . r-r r-<../Pnn:~Jr!>

..:i"roccs:s CtMt:iooTik-'2JJ: · )4.: 1U:2: 25 :JO. SO~Y 4c$c:ri.P1::l.,.' Sbr1cd" ,14 .. • ~"40' ppjd.•)20-:.o -ss . c.<ic..:/ hucss.-.:Prooess «OOt i«I T i.c-• 2D: • )4. : l ra: 2'J : 39. £6825] oor be rio1:i .... I St:rtccf" ,14 .... s~ J). C1C1id-·?20"'1'V"A c.QO"t.CXe</I' roc:c s $>

.:rrooess eroot1«1Tix-' ZlJ: .;iq.:11~l: _,j:OU.~W~Oll.I" ocscn..ot1.,...·:i.tlMC4" ,14 .. • AT P10C- ·0·>e rs;; .cx::-c1 rnusS> <?rocgg Cl'9it1UIT1118= ' ?D: ~ : 1 l~l: *1 :OU.f:UY,IUOll.I" CIKCl'l..pt1H"' ' ~tll'1M" ,14 .. •• T>' • pp)d--.;ltr'""'-N.C90"1. exe-""./J'rcCES:~

<PrOttSS Cl'BOt:1UITi.B=. 23J: • ):I.: 1n2:tiS :36. 763i3JSOJ" CIHCrt.pt10M' 5tll'1"" ,14. · •e:ss. ppld• -!?O°"'<CS ~.s:: . e~/PretttS":>

· > -·

=

a ~ ...




• Recent Developments • Upgrade of XKEYSCORE CNE • Keyloggers: keylogger/perfect/extension

• PCAP Rei ngestion

• Router Redirection




(refer to Counter CNE Resources slide ... )

• Hypothesis/research-driven • ''Could South Korean CNE be using similar selectors to

FVEY CNE?''

• ''What keywords could be used to find keyloggers (''exam pie: keylog OR keystroke'')

• Bogus or Unusual Traffic • HTIP GET with content (example in this presentation)

• HTIP POST at odd hours (from Russia 0200-0359Z)

• Funky user agents

• Known-Host or User driven (e.g. drop sites) • XKEYSCORE is GOOD at these kinds of things




• Registry searches (e.g. SIM BAR)

• Fused Active/Passive search • common selectors • document hashes

• Known Processes (malicious executables or code) ... Let's enhance the process list appid

• map-reduce within CNE cluster using GENESIS calls




•... at all (well, automatically, anyways)

• Paired traffic heuristic-based approach • HTTP[S] imbalance (e.g. GET without

response)

• IP/DNS mismatch*

• ... on an automatic basis • Network or host characterization • Changes in IP/DNS mapping over time • Changes over time in malware comms




0 [U]

• How to Discover Intrusions [using XKEYSCORE] by and (paper)

• MHS INDEX - Foreign CNE Discovery Page https ://wiki. itd. nsa/wiki/Foreig n CNE Discovery

• CSEC and GCHQ - DONUT (unknown protocols): https ://tiso. sig int.cse/snipehunt/index. php/DONUT

• GCHQ Discovery Posted some Research of Detecting Man-on-the-Side Attacks:

https: //ti so. sig int.cse/snipehunt/index. php/MOTS GCQH Disco Team posts POC's for different Intrusions and some Details:

https ://wiki. gchq/i ndex. php/Discovery • The GCHQ DISCO team also posts Discovery Theories they run once a

week: https ://wiki .gchq/index. php/Discovery Afternoons

• XKEYSCORE Fingerprints




Using TAO-obtained Iranian implant encryption keys, inlin decrypt using XKS microplugin IRGC-QF keylogger data!

v I ~I( .e .. IQn i.lt 'IN r Moz 1 .. F ra1'o·

Elle li,dit ~iew Hl~ory B.ookmartcs Iools !::!elp <t:j-

!llCfi n ttps ://XKs-cen tral .corp .nsa Jc .gov: S 443/XKEY SCOR E/layouts/popOutL ayout.jsp ?pageTttle = Sessl o n V lewer & rowUn=%2FXKEY SCORE% 2F%2Fmetavl eVI §I Thi:;;; :;y:;,;t:om Is ~udltod ror USSID 18 o01nd Human Rights Act compllanco

CLASSIFICATION: TOP SECRET//COMINT//REL TO USA. AUS. CAN. CiDR. NZL

15

O ate time Case N otation

201 1 -03 -28 19 '.5 1 :28 IRS 1 0 14

sessio n H eader (3) -r=ormatter· AUTO

Quick C licks

. 1«. session 13 ?'t(Attachments ' . 8 ? u nk nown

. s

Oon e

13 ? text

? key-logger .txt ? unknown _ 1 931.x-www-;

Orl~-Chck Sctll cflt:-S

And fiooemrint

ntoc/ntocg/m a lware/amulet! botnet/AM U L ET S TELLAR/k•

A nd traffjc on

78 .38 .1 1 0.1 63

1 74.132.1 80 .34

find a ppl jcatjoo m c.t il/webmaillyahoo

Find p roxv hash

c8b0d875

- - . - - -

J:-rom IP

x .. KEYSCORE C2C Sess ion Viewer

I f=rom Por To Por1 T o IP

1 74 !!!! Unite d States: 42325 SO

Protocc! Length I

tqJ 3203

Enter text to search

Downloa d this from XKEY SCQR ,E ..

keylogge<.txt F O R MATTER I A U TO I: I Virus scan r esults Clean

using T X T formatter

<< ( 2 unread ) Ya h oo ! Mai1 , me h r a b . raiai Mozi11a F irefox >>

[ J [J [J [J [J [J [J [J [J [J [J [ J [ J [ J [ ) [ ) [ ) [ ) [) [) [) [) [) [) [) [J [J [J [J [ J [ J

<< The page a t l'lttp: I / u s . mg4 . ma.i1. y a l"loo. com says: >>

()

<< ( 1 unroa d ) Yo h oo ! Ma il. • Moz.i.J.J.a

(] (] (] (Back s p ace) aa ( B acksp ace) [Back s pace ] [] [Right

<< Ya l 'loo \ Mea s e t'lger >>

( B ackspace ] s a ra [ S pac e ] ( Ba c ksp

(0 unread) Yo h oo ! Mai1 .

[ ] [ ] [] [ ] [ ] e 1 oo [ D own ] () 52500 24 3 0 0

[ J [ J [ J [ J [ J [J - • Login

. . . ( Back

x ks -central.corp .nsa.lc.gov :S443 8 .:rjt9! ® ·''




• MHS Index Team I

I

• CES/TRANGRESSION • •

• •

o~

• NSA/Countering Foreign Intelligence

• NTOC ?? • XKEYSCORE

I

I

I

: xks-cne@r1 .r.nsa



plaintiff’s exhibit 30unclassified//fouo the overall classification of this presentation is: top...

Documents