Title: SPINALTAP: Making Passive Sexy for Generation Cyber

Release Date: 2015-01-17

Description: This undated NSA Menwith Hill presentation describes SPINALTAP, a project to combine data from active operations and passive signals intelligence: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: TOP SECRET//COMINT//REL TO USA, FVEY

/

'■%.^

(U//FOUO) SPINALTAP:
Making Passive Sexy for
Generation Cyber

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

SPINALTAP

• Extracts selectors from TAO/SFC/GCHQ
boxes that should also appear in passive
collection

• Translates selectors from active context to
passive context

• Creates fingerprints to label passive
collection related to endpoint-derived
selectors

• Automated

• Scalable

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

SPINALTAP

endpoint/related/WICKEDAMPll/user*

endpoint/related/WICKEDAMPll/network*

endpoint/related/WICKEDAMPll/machinelD*

endpoint/related/WICKEDAMPll/cypher_key*

endpoint/related/WICKEDAMPll/attached_device*

Serial numbers
Hostmacs

usernames

^ tUUUL 1 bA

Computer System
Maiuifac tun r Model Domain Domain Role Gateway M-6884] WOEKG St-mdalo:

o-

o-

1

J3Í A:
o-o c: <1>

o- O D: <32>

SiE:

SiF:

G:

H:

IMEIs
UDIDs
Browser tags
usernames

machinelDs

Key Name

1 use ir@yahoo[2].1290074506.txt ■
■1 user@yahoo[2].1290074506 .txt

Key Name

hkeyJotaLmachineltatalogsïs;

hkey_local_mach¡ne\catalogs\s;

hksyJocal_machinB\softwars\a

hk0yjocal_machin0lsoftwar0\a

hkeyJocaLmachinelsoftvvareïa

hkey_local_machine\softyare\a

user@yahoo[2].l 29DD7450B txt

B

C3p41ttl(i5ip9nl£ti
yahoo.com/

1024

4099842048

30195537

934331712

30048403

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Selector Types

Machine IDs

Cookies

• Hotmail GUIDs

• Google prefIDs

• YahooBcookies

• mailruMRCU

• yandexUid

• twitterHash

• ramblerRUID

• facebookMachine

• doubleclickID
Serial numbers
Browser tags

• Simbar

• ShopperReports

• SILLYBUNNY
Windows Error IDs
Windows Update IDs

Attached Devices

IMEIs for Phones

• Apple IMEIs

• Nokia IMEIs

UDIDs

• Apple UDIDs
Bluetooth?

• Device Name

• Device Address

Cipher Keys

Cipher Keys uniquely
identified to a user

• ejKeylD

Network

Wireless MACs

¥

VSAT MACS and IPs

User Leads

User selectors from
Cookies, Registry, and
Profile Folders

• msnpassport

• google

• yahoo

• Youtube

• Skype

• Paltalk

• Fetion

• QQ

• hotmailCID
STARPROC-identified
active users

W

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Network Level Selectors

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Active/Passive Map

1 XKS Fingerprints parse files collected from endpoint accesses and feed
active_passive_map microplugin

2 Micro-plugin feeds SPINALTAP Database / GUI

3 SPINALTAP Database generates fingerprints

Analysts can
query

microplugin to
see what
selectors have
been extracted
for their target
projects

0 ___I CNE

fcm Active Passive Map

Input Source: |ACRIDMINI*

Fitter relationship_type
0 serial_number_dell
0 windowsupdateGUID
□ windowsupdateGUID
0 windowsupdateGUID
0 yahooUser
0 yahooUser
o yahooUser
0 yahooUser
o yahooUser
0 yahooUser
o realm_mid_GooglePREF
n realm_mid_GooglePREF

relationship_value

Count '
2

2

2

2

2

2

2

2

2

2

1

1

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

'

Hhj- ■'

Sample Lifecycle: DARKSCREW46

DARKSCREW/DARKSCREW46 -

Last Collection[limit 3 listed]:

2012-02-12
2012-02-08
2012-02-06
List All Collection
Categorized Collection

relationship_type relationship_value Input Source
serial_number_lenovo L3PW286 DARKSCREW46
hotmailGUID 0574A0786A9C6AD1 3CCDA29F6E9C6A60 DARKSCREW46
hotmailGUID 10F3D90D305A6CAA3939DBEA345A6CC3 DARKSCREW46
hotmailGUID 277D434B01A0648503DE4197O5A064E0 DARKSCREW46
doubleclickID 22bcd6191801009a DARKSCREW46
doubleclickID 22fd81 6a5401001 b DARKSCREW46
facebookMachine e0yyTZC8WhXJBtTsemghllfZ DARKSCREW46
GooglePREFID 3064S62fddcfcdS2 DARKSCREW46
GooglePREFID 59035ab896c931e1 DARKSCREW46
GooglePREFID 5f234c7ac7381e2f DARKSCREW46
hotmailGUID E9C7006D5F1F49D633EBF805FE18FE17 DARKSCREW46
yahooBcookie 2amrd0t7h2hcs DARKSCREW46

J DARKSCREW46
J _jmachinelD

J ___insa

J___i cne

=j GooglePREFID
hotmailGUID
=1 serial number

""3 V aFiooScooliTe""' F'i

J ___i user

J____insa

J ___i cne

]skypeHash

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Improving CNE Collection

• Pushed for routine, standardized collection of
artifacts containing useful selectors to support
SPINALTAP

• Registry: additions to SIGDEV survey to collect new
registry keys and values

• Files: broad, repeated cookie collection via additions to
SIGDEV survey

• Directories: dirwalks already standardized, no changes
necessary

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

SPINALTAP Fingerprints

*31168 active fingerprints
•Fingerprints for 722 projects
*488 TAO CNE projects
*7 GCHQ CNE projects
*227 SFC Forensics projects

•Fingerprints for 6188 unique
machines

attached_device fingerprints 1102
user fingerprints 23173
machinelD fingerprints 5599
cipher_key fingerprints 1293

NSATAO fingerprints 29361
NSA SFC fingerprints 1745
GCHQ CNE fingerprints 61

endpoint/related/////

endpoint/related/STONEHENGE18/user/nsa/cne/skypeHash

endpoint/related/DEADDRUMMERlO/machinelD/gchq/cne/simbar

endpoint/related/FREEFLOWERPEOPLEl/attached_device/nsa/forensic/appleUDID

TOP SECRET//COMINT//REL TO USA, FVEY

*Last updated 11

TOP SECRET//COMINT//REL TO USA, FVEY

SPINALTAP Fingerprint Hits

Since actiVcL. ^July 2011:

Hits from 2087 unique fingerprint hits

Hits from 1619 unique boxes (26%)
8395 box/id type/sigad caajj

Sigad

UKJ-26ÜD

USJ-759A

UKJ-26ÜD

UKC-3Ü2A

UKJ-260D

UKJ-260G

UKJ-26ÜD

UKJ-260D

DS-30G

DS-300

DS-300

DS-300

UKC-3Ü2A

DS-300

AppID (+Fingerprints)

endpointfrelatedÆIL1

endpointfrelatedÆILVl

endpoint A-elated/SILVERJUl
endpointfrelated/SLYNINJAl
endpoimtA-elatedySLYWlZARDI 6AjserAisa/cne

Selectors from 269
of TAO Machine
are seen in Passive

endpointfrelatedÆLYWlZARDI SAiserAisafeneiVahooUser
endpoimtA'elatedySLYWlZARD21 AjserAisaJcneJskypeuser
endpoint A,elated/SPARTANFURY16AjserAisa/cne/skvpeuser
endpoint frelated/STRAITLACED554Ajserftisa/cnefv,ahociUser
endpoint A-elated/SWITCHDOWN IR BR1 52Ajserfrisa/cne/vahooUser
endpointfrelatedÆWlTCFIDOWN IR EiR245AjS6rfrisafcn6/vahooUs6r
endpoint delated ¿SWITCHDOWN IR BR246AjserAisa/cneJvahooUser
endpointfrelatedn~HIEVESQUARTER25Ajserfrisa/cneA'ahooUser
endpointfrelated/WATERCASKETI Q3ftnachinelDAisa/cne/simbar

TOP SECRET//COMINT//REL TO USA, FVEY

*Last updated 11

PASSIVE COLLECT

TOP SECRET//COMINT//REL TO USA, FVEY

by Project/Site

□ FOXACID

■ ATOMICMONKEY

□ DRINKMINT

□ DARKFIRE

■ ANCIENTBRE

□ SILVEF^UMP

■ MUSHROOMKINGDOM

□ FI RESWAMP

■ SHAKEWEIGHT

□ OPTIMUSPRIME

□ ATOM ICFI REBALL

□ WOLFACID_ZINC

■ SWITCH DOWNJ R_BR

■ TOXICSNOW

■ DARKTHUNDER

Unique Boxes Seen by Project

Unique Machines
Seen by Project

(Top 15 projects)

Unique Machines
seen by SIGAD

GCHQ IB
936

202A

663

1619 unique machines seen
At 68 different sigads
Using 31 different ID types

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Application: Exfil Opportunities

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Application: Bearer Prioritization

Survey CASNs ASPHALT CAS Ns Snap CASNs

t

casn

2 C B ABOOOOO MÜ286

2CBABOOOOOMÜ286

2CBABÜ0Ü0ÜMÜ286

2CBABOOOOOM0286

2CBABOOOOOM0286

2 C B ABOOOOO M0286

2CBABOOOOOM0286

2CBABOOOOOM0286

2CBABOOOOOM0286

2 C B ABOOOOO M0286

2 C B ABOOOOO M0286

2 C B ABOOOOO M0286

points for each t;
correlation seen

fingerprint

cne_related/ANCIENTBREW115/user/nsa/yahooUser
cne related/CH0C0LATESHIP2/user/nsa/email

cne_related/CUDDLYBADGER1Ei/user/nsa/yahooUser

cne_related/DARKTHUNDER64/user/nsa/yahooUser

cne_related/DISTORTAFFECT1 /user/nsa/yahooUser

ISPINALTAP
r Refresh
casn siga I Cn I I

E9 D C J0Ü000 M0000 USJ-759A 84634
E9 D H U0Ü000 M0000 USJ-759A 76044
5BBAKDD000MID04 USJ-759 18723
BOBAJOOOOOMOOOO USJ-759A 35249
E9 D FT0Ü000 M0000 USJ-759A 115091
G6 B AD00000 M0100 USJ-759A 27832
5BBAKDD000M0000 USJ-759A 26019
NFH116400280000 USJ-759 150
NFDJGOOOOOM4147 USJ-759A 27580
NFH111717504144 USJ-759A 19874

cne_related/DRINKMINT158/user/nsa/yahooUser

cne_related/DRINKMINT195/user/nsa/yahooUser

cne_related/DRINKMINT322/user/nsa/yahooUser

cne_related/DRINKMINT350/user/nsa/yahooUser

cne_related/DRINKMINT384/user/nsa/yahooUser

cne_related/DRINKMINT410/user/nsa/yahooUser

cne_related/DRINKMINT420/user/nsa/yahooUser

2012-02-04

2011-12-20

2012-02-03

2012-01-27

2012-02-01

2012-02-03

2012-02-12

TOP SECRET//COMINT//REL TO USA, FVEY

Histogram Grid &

S « A Page 1 of 1 Clear Selection Export Interactive Mode
-¡Iter Input Source Count r
□ WOLFACID_PRECIOUS5 82
□ DOUBLETAP23 45
□ DOUBLETAP14 33
□ WOLFACID_URANIUM1 24
□ WOLF ACID JODINE1 16
□ WOLFACID_PRECIOUS4 13
□ WOLFACID_ARGON8 12
□ WOLFACIDJRON10 12
□ ATOMICFOG48 8
□ OFFICELINEBACKER1 05 8
□ OFFICELINEBACKER90 8
□ DOUBLETAP11 7
□ WOLFACID_BARIUM49 7

*
ejkeyid
M Help Actions ; T Reports T View T (J) Map View FILTERS: -
□ State ID Datetime Highlights AppID (+Fingerprimts)
1 □ I 255 2011-12-14 23:53:00 $ dnt oavload file cue technique unitedi ahe cvhercyliertiuest'cno activity diit navload 1leader narsed encrviition.'
? □ I 214 2011-05-20 18:41:00 E§ dnt oavload file cue technique unitecli ake cvlier/cvlierauest/ciio activity (Int oavload header narsed encrvotion.'
3 □ I 215 2011-05-20 20:08:00 $ dnt oavload file cnetechnkiue unitecli ake cvhercvhernuestcno activity (hit oavload header narsed encrvotion.'
4 □ I 438 2011-11-03 18:31:00 $ {Int oavloadfile cnetechiikiue/imitedrake cvliercvhernuestcno activity {hit oavloadlieader narsed eiicrviition
5 □ I 85 2011-11-30 21:42:00 ,5 (hit i>6 □ I 243 2011-10-25 10:50:00 ef (Int nauload.lfle cne.techiiiciue.'daiidersnritz cylier/cvhemuest/cno activity {hit oavload.'lieader narsed encrvntic
7 □ I 244 2011-10-25 20:00:00 E§ (Int nawloacl.Hle cnelechiiiniie/danclersiiritz cyiier/cyliermiest/cno activity {hit oavload.'lieader narsed encrvntic
8 FI I 257 2011-10-25 20:07:00 F# (hit nayload/file ciie tecliiiitiue daiiderspritz cylier cvhernuest'ciio activity {hit oavload.'lieader narsed encrvntic

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Application: Selector Discovery

Home X MyXK5

Admin

Users A Search S' Workflow Central |[]J Results Fingerprints : ~ Tagging |j§| Statistics : ~ Tasking @ Map fc) Help T

Note: Icons on this page represent categories of services (e.g. web searches, VoIP, browsers) provided by established commercial firms. They do HOT identify targeted firms.

IP Address: H Country: PK 19 Start: 2012-D4-27 14:46:46 Duration: 3 min(s) Cascnotationf s) PKCSEQ39L00I
HHFP: 13c8G9a4 City: KARACHI Stop; 2012-04-27 14:49:21 Sigad(s): UKC-302A PKCSE039KOO
ml uve usertsj:

High

Vi

Lf

|...í
|...í
;...e
|...í
|...í

3 ____I Com

^ <
^ E
^ E
^ E
fci? E

Fingerprint

ciefeat/atroulerA'ahooflnsider/client ad get
defeatfatiiksA/ahoofinsiderfclient ad get
endpoint Ifelateflfatomicmonkev372/machinedltsalone/simbar
rnail/webrnail/vahoo

iN ^ Page 1 of 1 / ^il iS1 Displaying 1 - 4 of 4

X Active Accounts

- 3

Page

of 1

¿2? Displaying 1 -1 of 1

TTCU JILO T I9ILOJ

iki a Lumauï

raj

Type Page Title/Host
host insider .meg .yahoo com
host us.ailserver.yahoo.com
t_ file:/fC:'üocuments%20an...

Count

1

1


j i i

lH ^ Page 1 of 1
Web Searches

-3

SB) Targets: Content Hits

B3

Browsers

‘3

User Agent

Mozilla.'4.0 (compatible, MSIE 6.0, Windows NT 5.1, SV1

Mj

^ All Accounts
© User Role State

kyahooBcoo... unknown active

5 Device Information

Client IP

- +i

Client GEO Leaker IP

PK, KARACHI (24.87, 67. .

< m >(j

Images ViiTi
mázÁ±r

p VOIP - ±>

@ SSH

H3&

--MVI
1*4 "L ratt±r

TOP SECRET//COMINT//REL TO USA, FVEY

»

y

ENESIS

TOP SECRET//COMINT//REL TO USA, FVEY

REENABLE

Application: Eiitlyute Cost Collect

active user

Sigad
UKJ-260[|
UKJ-260[|
UKJ-260[|
UKJ-260[|
UKJ-26CO
UKJ-260CI
UKJ-260CI
UKJ-260[|
UKJ-260[|
UKJ-260[|
UKJ-26CO
UKJ-260CI
UKJ-260[|
UKJ-260[|
UKJ-260[|
UKJ-2G0CI
UKJ-260CI
UKJ-260[|
UKJ-260[|
UKJ-260[|
UKJ-260CI
UKJ-260CI
UKJ-26CO
UKJ-260[|

idjype machine_name qjechnique slgad opportunity Jype unlque_cour
yahooUser TOXICSNOVW2 QDIRK USJ-759A CONFIRMED 26
yahooUser ATOMICMONKEY380 QDIRK USJ-759A POTENTIAL 5
yahooUser SLYWINJA150 QDIRK USJ-759A POTENTIAL 4
yahooUser SLYNINJA150 QDIRK USJ-759A CONFIRMED 27
yahooUser SLYNINJA151 QDIRK USJ-759A CONFIRMED 3
yahooUser MUSHROOMKINGDOM143 QDIRK USJ-759A CONFIRMED 2
yahooUser ATOMICMONKEY200 QDIRK USJ-759A UNKNOWN 1
facebook OFFICELIMEBACKER21 QBISCUIT DS-3ÜÜ CONFIRMED 2
yahooUser SWITCHDOWN _IR_BR154 QBISCUIT DS-300 UNKNOWN 1
yahooUser SPARTANFURY35 QBISCUIT DS-3ÜÜ CONFIRMED 2
yahooUser OPTIMUSPRIME222 QBISCUIT DS-300 UNKNOWN 2
yahooUser SPARTANFURY64 QBISCUIT DS-300 UNKNOWN 33
facebook STRAITLACED435 QBISCUIT DS-300 UNKNOWN 3
yahooUser WATERCASKET88 QBISCUIT DS-300 UNKNOWN 11
yahooUser SPARTANFURY35 QBISCUIT DS-300 UNKNOWN 2
facebook DOUBLETAP27 QBISCUIT DS-300 POTENTIAL 2
yahooUser WATERCASKET103 QBISCUIT DS-300 UNKNOWN 6
yahooUser WATERCASKET27 QBISCUIT DS-300 UNKNOWN 15
yahooUser OPTIMUSPRIME353 QBISCUIT DS-300 CONFIRMED 11
yahooUser SPARTANFURY35 QBISCUIT DS-300 POTENTIAL 1
yahooUser OPTIMUSPRIME353 QBISCUIT DS-300 UNKNOWN 7
yahooUser OPTIMUSPRIME353 QBISCUIT DS-300 POTENTIAL 9
yahooUser SPARTANFURY35 QBISCUIT DS-300 CONFIRMED 1
yahooUser SPARTANFURY45 QBISCUIT DS-300 CONFIRMED 14

j 2012/01/11

GB:0G

L 2012/01/04
09:05

\ 2011/12/02
13:47

3 2011/11/28
22:54

3 2011/11/28
20:27

j 2011/11/13
07:56

3 2011/11/12
10:12

? 2011/11/03
11:40

3 2011/10/11
12:18

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

REENABLE

Application: lWitigaie Cost Collect

• Combine XKEYSCORE Map/Reduce Results
(QTM Opportunities) with GMPLACE Callback
Analytics (Lost Implants)

I QUANTUM_Datahase. ui QuantumReenahle - | Last updated: Thu May 31 09:57:24 +0000 2012

Show 25 T entiles

Refresh

j-J

active_user_id V frem_pert V tOJ)Olt V i

5050

3139 yahooUser ATOMICMONKEY108 UNKNOWN

QBISCUIT US-3171 2012-04-08T10:42:30.000+00:00

80 45527 yahooUser DARKFIRE1 086 POTENTIAL QBISCUIT US-3171 2012-04-04T03:16:14.000+00:00
80 4687 yahooUser ATOMIC MONKEY496 POTENTIAL QBISCUIT US-3171 2012-04-08T10:37:00.000+00:00
65080 80 facebook DARKFIRE1 082 CONFIRMED QDIRK US-3171 2012-04-13T06:32:17.000+00:00
33966 80 yahooUser ATOMICMONKEY496 CONFIRMED QDIRK US-972U 2012-04-08T10:37:00.000+00:00
15577 80 yahooUser COBALTGUPPY36 CONFIRMED QBISCUIT US-3171 2012-04-16T10:31:57.000+00:00

TOP SECRET//COMINT//REL TO USA, FVEY

Future Work

• Further automate extraction, fingerprint

creation (currently weekly)

• Provide access to SPINALTAP DB via GUI

• Support for new ID types

• MAC addresses

• Expansion of SFC related fingerprints

• Expansion of 2nd Party CNE related fingerprints

• Deprecation/Expiration of fingerprints

• Improve private network identification

• Provide as enrichment source to other tools

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

WOLFACID_ZINC
WOLFACID_TIN
WOLFACID_LEAD
WOLFACID_JUPITER
WOLFACID_IRON
WOLFACID_CHILI
WOLFACID_BARIUM
WOLFACID_ARGON
WOLFACID_ANISE
WITHEREDFRUIT
WILDCHOCOBO
WAXCHIP
WATERWINGS
WATERCASKET
VEILEDMAGIC
UPPERMUTANT
UMBRAGESPIDER
TROPICALSTORM
TOXICSNOW
TOTALDAGGER
TOADYTEAL
THIEVESQUARTER
SWITCH DOWN_IR_CD
SWITCH DOWN_IR_BR
SWITCH DOWN J R_AW
STRAITLACED
STEELSKY_GOLF
STEELSKY_FOXTROT
STEELSKY_ECHO
STEELSKY_DELTA
SPIKEYFARM
SPARTANFURY
SNAPKEY
SLYWIZARD
SLYSNOW
SLYNINJA
SKYJACKBRAD
SILVERJUMP
SILENT_TONGUES
SHATTERED SHIELD
SHAKEWEIGHT
SHADYNINJA
SCARFSLOOP
SANDPALACE
ROLLED HAT
PRETZELDOG
PLUMREVOLVER
PHANTOMSTARFISH
PARLAYBUFFET
OPTIMUSPRIME

Hits - All Projects

OFFICEQUARTERBACK

OFFICELINEBACKER

OBSCUREBLAZE

NATIVEFLORA

NAPALAN

MUSHROOMKINGDOM
MIRACLEMAX
MILKSTEAK
MIDNIGHTSCORPION
MICEFUR
MAXRANKLE
MAGNUMOPUS_CC
MAGNUMOPUS
LUTEUSASTRO
KUKRISTEEL
KOOPATROOPA
KIDSHIPAA
JEEPFLEA_MARKET
JEEPFLEA
JEALOUS JOKER
JAVAFRESCO
INDEPENDENCEPIE
IMPUREHOLSTER
ICEBLOCK
HORSEWRAP
HASTYCOBRA
HAMMERBROTHERS
GOODMONKEY
FURRYEWOK
FREEWOODENSTICK
FREEWINDSHEAR
FREEWINDCLOUD
FREEWHEELNUT
FREEWHEELCOVER
FREEWAYPOINT
FREEWAVECREST
FREEWATERTOWER
FREEWATERTANK
FREEWATERGLASS
FREEWATERBED
FRE E WARRIOR PAI NT
FREEVINYLMESH
FREETWINBEE
FREETRUEPINBALL
FREETROUTSTREAM
FREETRICKYKICK
FREETINYTANK
FREETIMESHARE
FREETIMELEGEND
FREETICKETBOOTH

FREETHUNDERCLOUD

FREETESTSHEET

FREETANKSTAND

FREESTORAGEROOM

FREESTONESHIP

FREESTATEWARD

FREESPEEDTRAP

FREESPACEFLIGHT

FREESNOWSHOVEL

FREESNOWCLOUD

FREESMOKESCREEN

FREESMALLSPACE

FREESLOWFAST

FREESINEWAVE

FREESHORTPASS

FREESHORTCARD

FREESEADADDY

FREESCREENDOOR

FREESCHOOLLOCKER

FREESASHCORD

FREESALTTRUCK

FREESAFEKEY

FREEROCKSONG

FREERIPPINGBLADE

FREERIGHTWHALE

FREERIDEAROUND

FREEREDSTAIN

FREEREDSHIRT

FREEREDMARKER

FREEREDERASER

FREEREDBEER

FREERAVENTICKET

FREERAINCLOUD

FREEPULLCHAIN

FREEPUFFYCLOUD

FREEPOWERFAILURE

FREEPOSTMARK

FREEPONGPLAYER

FREEPLASTICCASE

FREEPINEPLANK

FREEPICKLEBRINE

FREEPAINTBALL

FREEOUTRUN

FREEOLDBIKE

FREEOILPAINT

FREEOILLEAK

FREEOBLIQUECASE

FREENIGHTTRAIN

FREENAVYBLUE

FREEMINTJELLY
FREEMINETUNNEL
FREEMETALSHARD
FREEMETALFILE
FREEMETALCRATE
FREEMARBLEBASIN
FREELOLLYPOP
FREELINEDOWN
FREELIKESAME
FREELIFERAFT
FREELEADSINGER
FREELEADSHOT
FREELANDLINE
FREEKNOCKOUT
FREEKINGSPAWN
FREEKIDPOOL
FREEJETFUEL
FREEHOOPDREAM
FREEHOOKHANDLE
FREEHOMEBASE
FREEHAVEFUN
FREEGLUESTRIP
FREEGLASSTUBE
FREEGEMSTONE
FREEFRIEZEFRESCO
FREEFLOWCHART
FREEFLATFIBER
FREEFILEDELETE
FREEFIBERBOARD
FREEFASTCAR
FREEFAMILYTIE
FREEENERGYTAX
FREEEMUFARM
FREEDOVETAIL
FREE DOM ECU PO LA
FREEDOGCRATE
FREED ISKBRAKE
FREED ISCOVERY
FREEDIRTYTRICK
FREEDETOURSIGN
FREEDEADBATTERY
FREEDATALOSS
FREEDARKSUIT
FREECRUSHEDDISK
FREECREEKMOOR
FREECORNMAZE
FREECORNHUSK
FREECOLDTEA
FREECLEARTAPE
FREECHESSBOARD

FREECHERRYCOLA
FREECEMENTBLOCK
FREECATBOX
FREECANESUGAR
FREECANALLOCK
FREEBUTTERCLOUD
FREEBRASSBRUSH
FREEBLUEMAT
FREEBLOWNTURBO
FREEBLOODYWOLF
FREEBLACKCLOUD
FREEBITTERCLOUD
FREEBIGBOSS
FREEBEACHTREE
FREEBATTLEZONE
FREEBALLROOM
FREEBADRENT
FREEBADFIBER
FREEBACKGAMMON
FREEARCADEZONE
FREEAIRFARE
FREEACIDRAIN
FRANTICDANCER
FOXBASE
FOXACID
FIRESWAMP
FIREEATER
FIREBRUSH
EMPTYMOCHA
ELECTRONSWORD
EFFABLELAMBDA
EDITIONHAZE
DRUMBEAT
DRINKMINT_AA
DRINKMINT
DOUBLETAP
DISTORTAFFECT
DIRTDIVER
DETASSEL JAN ICE
DEPUTYSHIP
DARKTHUNDER
DARKSCREW
DARKRAZOR
DARKRAVEIN
DARKINTENT
DARKHELMET
DARKFIRE
CYGNUSOLOR
CUDDLYBADGER
CRYPTICSENTINEL

CRISPWARE
COCOAMELTDOWN
COBALTGUPPY
CHOCOLATESHIP
CAFFEINECRASH
BULLETTOOTH
BROKENTHOUGHT
BLOODDIAMOND
BLACKMESA
BLACKAMETHYST
BEEFCAKE
BEDOUINSTRIKE
BACKSNARF
AZTECTOMB
ATOM 1C STRIKE
ATOMICPUNCH
ATOM ICM ON KEY
ATOMICFOG
ATOMICFIREBALL
ATOMICCANNON
ARMOREDCONDOR
APACHERIVER
ANCIENTBREW
AFTERYARDARM
AFTERWIN DBLOWN
AFTERWAYBACK
AFTERTREEFORM
AFTERTANKERTRUCK
AFTERSHORTRUN
AFTERRICHGEAR
AFTERLASTTEAM
AFTERGASSTATION
AFTERDOGHOUSE
AFTERCLIFFDIVE
AFTERBOOTSOLE
ACRIDMINI
ABSOLINEDELTA
AARDVARKSTAKE

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Contributions

S32361

M.......

ndows

has recovered From a serious error.

error has been created.

II Microsoft about this problem

t data this error report contains, click hors.

Send Erior Repoit Don't Send

S31322

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Windows Error Reports

• Windows crash reports in passive:

- Identify application crashes on TAO targets

• Another data point to correlate active/passive
collection

• Identify applications of interest on TAO machines

- Track 4th Party tools

• Crashes from attributed .dlls identify targets of
foreign CNE

• Analytics may be able to highlight suspicious
processes

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Windows Error Reports

Detailed error and
target system info for

maintenance

troubleshooting,
tracking, and

Event Type Exception Code Exception Offset Fault Module Timestamp Count -
APPCRASH cOOOOOOS 01cb3aa6 411096b4 8
APPCRASH cOOOOOOS 01903aa6 411096b4 6
APPCRASH cOOOOOOS 03573aa6 411096b4 6
APPCRASH cOOOOOOS 047b3aa6 411096b4 6
APPCRASH cOOOOOOS 01 bf3aa6 411096b4 4
APPCRASH cOOOOOOS 03993aa6 411096b4 2
BEX 00653aa6 cOOOOOOS 411096b4 2
BEX 01 e13aa6 cOOOOOOS 411096b4 2
BEX 01 f63aa6 cOOOOOOS 411096b4 2
BEX 03083aa6 cOOOOOOS 411096b4 2
BEX 03bd3aa6 cOOOOOOS 411096b4 2
BEX 0ca13aa6 cOOOOOOS 411096b4 2

System Manufacturer System Product Name BIOS Version Count "
FUJITSU SIEMENS AMILO Pro V2040 R01 -A1B 30
Hewlett-Packard Presario CQS6 Notebook PC F.05 14
TOSHIBA SATELLITE U500 1.50 6
TOSHIBA Satellite C640 1.50 3
PRG311OH.86A.0065.2( 2
Hewlett-Packard HP Mini 110-3700 F.23 2
TOSHIBA Satellite L300 1.40 2
TOSHIBA Satellite L635 1.40 2

TOSHIBA Satellite P105 V3.30 2
Dell Inc. OptiPlex 7S5 A09 1
System manufacturer System Product Name 0701 1

Application Version OS Version Count
8.0.7600.16800 6.1.7600.2.00010100.0.0.1 .16385 30
8.0.7600.16869 6.1.7600.2.00010300.0.0.11.1638S 14
8.0.7600.16385 6.1.7600.2.00010100.0.0.1 .16385 8
8.0.7600.16839 6.1.7600.2.00010300.0.0.3.16385 6
8.0.7600.16869 6.1.7600.2.00010300.0.0.3.16385 3
8.0.7600.16869 6.1.7600.2.00010100.0.0.1.16385 2
8.0.7601.17514 6.1.7601.2.00010100.1.0.48.17514 2

IE8 Windows 7

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

* Crashes on TAO Targets

SLYNINJA1 51
Value Name
±) errorport

Value Type Display Content

REG_SZ IWindowsErrorReportingServicePort

±) machineid

REG SZ

34F9B1DE-9D71-4009-AE54-65C45C1F876F

±1 maxqueuesizepercentage REG_DWORD
±) purgethreshholdvalueinkb REG_DWORD
±1 servitetimeout REG DWORD

00000001

OOOOOOOA

OOOOEA60

Error report in passive

Registry keys from
CNE

SLYMINJA151

GET /Stage One/Generic/BEX/iexplore_exe/8_0_7 601 17514/4 c e7 9912/ffiBHO_dU_unlo adf /00000008.htm?LCID=3081 &OS=6.1.7601.2.00010100.1.0.1.17514 &SM=Hewlett-Pack :Î7'0_0_0_0/4 e 417 Sb 9/6 0 3£14 3 0/c 0 0 0 0 0 0 5 ird &SPN=HP Pavilion dm3 Notebook PC
&BV4E03 &MTD=34F9B1 DE- 9D71-4009-AE54-65C45C1F876F HITP/1.1
Connection: Keep-Alive
Us er-Agent: ! VtSD'W
Host: ’ vats on. micro soft, com
[ 1 SLYNINJA151
Passive access to CNE target / Application Name Sigad Casenotatior Fm IP Count t
iexplore.exe USJ-759A E9DCJÜOÜOO AcmRd32.exe USJ-759A E9DCJOOOOO \ Flash Games.exe USJ-759A E9DCJQ0QÛQ tIOOOO 32 10000 1 10000 1
-Va*- LU V) Cl O H V :ret//comint//rel to usa, fv EY

TOP SECRET//COMINT//REL TO USA, FVEY

Windows Error Reports

Similar work completed for Windows Update

• April 2012:

• 2827 Windows Update and Windows Error IDs from endpoints

• 17 CNE Machines found in Passive (8 for the first time, for other
9 it’s the first time with MachinelD)

Crashes from 4th party Tools

• At least one crash report from a likely 4th party found

• Ingesting into The Cloud for Whizbang! analytics

• Crashes from target networks

• Crashes of uncommon .dlls

• Crashes of known 4th party .dlls

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

But Also...

Windows crash reports in

- Reveal crashes of TAO toolk

• Troubleshoot problems with T]

■ Identify OPSEC issues from

on targets

tools

repeated crashes

oassive

Datetime Application Name
2012-01-19 11:57:45 ieHplore.exe
2012-01-19 11:57:45 iexplore.exe
?012-01-19 11:57:45 iexplore.exe
2012-01-19 07:44:28 iexplore.exe
2012-01-1911:57:45 iexplore.exe
2012-01-1918:57:11 iexplore.exe
2012-01-1918:57:47 ieHplore.exe
2012-01-19 18:58:39 iexplore.exe
2012-01-1918:59:48 iexplore.exe
2012-01-19 20:03:23 iexplore.exe

Fault Module Name

inloarieri

inlo.Hlecl

mlo.HlecI

inlo.Klecl

inlo.Hlecl

mlo.HlecI

mlo.nled

mlo.HlecI

mlo.HlecI

inlo.KlecI



.dll unique to TAO
VALIDATOR first-stage
implant

TOP SECRET//COMINT//RE

[TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

Aftermath

Setup automated workflow for TAO VALIDATOR
team to receive daily updates

10-30 crashes per day
In a month -30 machines
Pinpointed to:

■ VALIDATOR 8.2.5.1
• VALIDATOR 12

■ Win 7 32bit

TAO/ROC Mission Directors deciding way
forward

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

QUESTIONS?

TOP SECRET//COMINT//REL TO USA, FVEY





m

IEINT
SIC5
NT

(siiREuTracking Courier Use

Secure Diaital Cards

SIGDEV Conference 2012

The overall classification of this briefing is:

TOP SECRET//COMINT//REL FVEY

Derived From: NSA/CSSM 1-52 Dated: 20070108 Declassify On: 20320108

SECRET//REL FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U//FOUO)

SD Cards

(U//FOUO) Small

(U//FOUO) Convenient
(U//FOUO) Common

SECRET//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

SECRET//

(S//REL) Tracking SD Cards: The

M/Fouoi No USB

(U//FOUO) FAT Filesystem

USB Controller—
(unique identifier stored here)

USB One Or More

Connector Flash Memory Chips

(filesystem stored here)

SECRET//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(S//REL) The solution: Volume Identification

(U//FOUO) VSN: Volume àiffàTOâteêr

(u//fouo)VL: Volume Label

Boot

Sector

r- 1
Actual Values:
Usama 728C0200
Nokia N73 a7bec691
Gooqle earth 65ba457d
L

Located in the boot sector of a volume

*CDs and DVDs also contain VSN/VLs

SECRET//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

SECRET//REL

(S//REL) Unique USB Identification

USB Controller
(USB ID stored here)

USB Connector

One Or More
Flash Memory Chips
(VSN/VL stored here)

SECRET//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

DQD

TOP SECRET//COMINT//REL TO USA, FVEY

(S//REL) VSN/VL Sources

(sy/REL) FilesystemA/olume boot sector
(S//REL) Windows Registry

(s//REL)Vista/7 provide comprehensive history

□ EMDMgmt

77JJSBS r0RttD!skWen_GeneMC&Prod_USB_SD_Reader&Rev_1.00tt05SF312D81B8(0tt{53f5G307-bGbM 1dU-94f2-GQa0c31 eib8b}_l 217853213
??_iUSBSTGRttDiskccVen_GenericEtRrod_USE_SD_ReaderEcRev_1 GO#058F312D81Ei!:O;t{53f563G7-bGbM1dO-94f2-CJ0aOc91erb8b}JG113G5219

. ??_.USBSTORttDiskWen_Kingsi0ni;PrGd_DataT ravele!_G2&Rev_1.GOttOOOFEAFB88BEF060543406528;Ott{53f563G7-bGbf-11dO-94i2-GQaOc91 efb8bjK.INGST0N._100888G052

(s//rel) XP provides VSN for “last mounted”

(S//REL) LNK files

(S//REL)

Identify VSN7VL, device type (CD,

removable media, etc)

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

SECRET//REL T<

(S//REL) VSNA/Ls & UBL

(S//REL) Published report (S/OO/SFC/3-12)

(S//REL) Identification information identified for
36 devices not seized during UBL raid

16 Missing devices

6 Connected via SD Reader
5 via USB
5 unknown

(S//REL) Determined uniqueness & first
connect date

SECRET//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U//FOUO) Developing a Solution

(TS//SI//REL) Automated solutions between seized media & CNE media via

JOLLYROGER

(TS//SI//REL)

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY

(U//FOUO) Questions?
NSASIGINT Forensics Center

“GO SFC”

UNCLASSIFIED//FOR OFFICIAL USE ONLY

TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//SI//REL USA, FVEY

QUANTUM FALCON

Summarization to support QUANTUM Targeting

TOP SECRET//SI//REL USA, FVEY

TOP 5ECRET//5I//REL U5A, FVEY

Overview

Challenges • Triage selectors for potential QUANTUM targeting • Enrich with strongly correlated selectors


• Possible manually with MARINA with multiple
queries (no workflows)

TOP SECRET//SI//REL USA, FVEY

TOP 5ECRET//5I//REL U5A, FVEY

Overview

Solution

• Cloud analytic developed to support targeting

• Map/Reduce ideal for counting activity

• Using corporate resources to perform
activities

• Seed selector list - INQUIRY service

• Summary of ASDF data already on
GHOSTMACHINE

TOP SECRET//SI//REL USA, FVEY

TOP 5ECRET//5I//REL U5A, FVEY

The Napkin

TOP SECRET//SI//REL USA, FVEY

Results

TOP 5ECRET//5I//REL USA, FVEY

What does it look

lilra?

Selector

- A It ID

10DQ002277S5040
100000227785040
1000006038915 07
1000006038915 Q7
100000677501875
100000677501875
100000677501875
100000692006670
100000727045165100000727045165
100000727045165
100000727045165
100000727045165
100000820627286
100000820&272S6
10000082062728610000082062728610000144259 3682
100001442593682
10000144259 3682100001442593682
10000144259 3582
10000144259 3682
10000145 0912744
10000145 0912744
10000175186383 3
10000175186383 3
10000213563257310000213563 25 73

UTTCategory ’ 51 GAD .( CASENOTATION - IPDirectii \ From* T FromASN * Td - ToASN - tfTRSII - #DaysSe( t La
6587:FGS2A4 US-972U AF.QXAPOS000000 C->S AF r3S742 US '32934 1 1 2(
65S7:FGS2A4 US-972U AF.QXAPOS C->S AF *38742 US *32934 1 1 2<
- UKC-3024 PKCSE035KOOOHDO C->S PK 45595 US *26101 2 i a
- UKC-302A PKCSEO35LOOOHD0 C->5 PK 45595 US *26101 2 2 a
- UKC-302A PKCSE0S8A000HD0 C->S PK 45595 EG *32934 1 1 a
- UKC-3024 PKCSE0S8A000HD0 C->5 PK 45595 US *32934 8 2 a
- UKC-302A PKCSE058AOOOHDO 8->C US '32934 PK 45595 1 1 a
60:8 2A13 USD-1079 H5V035343960000 5->C US r32934 SG *7700 9 2 a
1860:92463 23SC UKC-3024 PKCSEO35LOOOHD0 c->s PK 45595 US *26101 2 i a
1860:92463 238F UKC-302A PKCSE039KOOOHDO c->s PK 45595 US *14778 66 2 a
1860:52463 238C UKC-302A PKCSE039KOOOHDO c->s PK 45595 US *36646 28 3 a
1860:52463 238C UKC-3024 PKCSEO39LOOOHD0 c->s PK 45595 US *14778 81 4 a
1860:52463 23SC UKC-3024 PKCSEO39LOOOHD0 c->s PK 45595 US *36646 40 4 a
- USJ-759A 5BDAZOOOOOMOOOO 5->C BG r32934 IQ *16212 26 1 a
- USJ-759A 5BDAZOOOOOMOOOO 5->C US r32934 IQ *16212 215 4 a
- USJ-759 5BD4ZOO0OOMIDO3 c->s IQ 16212 BG *32934 36 3 a
- USJ-759 5BD4ZOOOOOMID03 c->s IQ 16212 US *32934 70 4 a
27S3:F74 US-9664 E2H115434620000 1 :c US 8075 XX - 531 5 a
27S3:F74 US-9664 E2H115434620000 null |- - 9 1 a
27S3:F74 US-9664 E2H1154346000TD C->S XX IE 32934 5 1 a
27S3:F74 US-9664 E2H1154346000TD C->S XX US *32934 2 1 a
27S3:F74 US-9664 E2H115434620000 5->C IE '32934 XX - 49 4 a
27S3:F74 US-9664 E2H115434620000 S-5C US '32934 XX - 50 5 a
- UKC-3024 PKCSE035KOOOHDO C->5 PK 45595 US *26101 2 2 a
UKC-3024 PKCSE035LOOOHDO C->S PK 45595 US *26101 1 1 a
- UKC-3024 PKCSE035KOOOHDO C->S AF 55330 US *26101 1 1 a
- US-968Z K5H110900004144 5->C US '32934 AF *23649 5 1 a
2381:SV4318:S2 UKC-3024 PKCSEO72AO0OFIDO c->s PK 45595 US *32934 5 1 a
23S1:£V 4318:82 UKC-3024 PKCSE072A000FID0 i-:C US '32934 PK 45595 1 1 a

TOP SECRET//SI//REL USA, FVEY

Results

TOP 5ECRET//5I//REL USA, FVEY

What does it look

___

Selector

1000002277S50401000002277S504010000aSS20G657010000063 200657{Kf a ce books
100000632006670cfacebooks
1000003206272&6100000820627286100000S206272S610OOO0S2O6272S6JCface books
100000S206272S6100000S206272S6JCfaoe books
100000S206272S610000QB206272S61000003206272S6100000S206272S61000008206272S610000QB206272S6100000S206272S6100000S206272S61000003206272S6if a ce b 0 ok s
100001442593 SS2100001442593S82100001442593632
1000014425 93 6S2100001442593532100001442593582100001442593632
1000014425 93 6S2cface bo oks
100001442593532100001442593582100001442593632
11000014425 93 6S2cface books
lCCCC14425936S2inCGGI442593682lCCCC14425936S2iCCCC14425936S2lCCCC14425936S2iG0GGI442593682


v AltID

100001442593682
m Hite CaseNotaoicnCounts IPHits

1106 of 319 50 records found

' SIGAD CASENOTATION IPDirectic 5

LS-972U AF.QXAPOSOOOOOO C-sS
Lt972U AF.QXAPOS OS
LSD-1079 H5V035343950000 tlC
USD-1079 H5V035343960000 tlC
LSD-1079 H5V035343960000 tie
USJ-759A 5BDAZOOOOOMOOOO S >C
LSJ-759A 5BDAZOOOOOMOOOO
US J-759A 5 E C A ZOOOD0M 0000 f-C
LSJ-759A 5BDAZOOOOOMOOOO tlC
USJ-759A 5BDAZOOOOOMOOOO tic
LSJ-759 5BDAZOOOOOMID03 os
US J-759 5BDAZ0OOOOMIDO3 os
LSJ-759 5 E D A ZOOOOOM1D03 05
US J- 759 5 E C A ZOOOOOM1D03 os
USJ-759 5 E D A ZOOOOOM 1D03 05
US J-759 5BDAZOOOOOMID03 OS
LSJ-759 5 E D A ZOOOOOM 1D03 05
LSJ-759 5BDAZOOODOMID03 OS
LSJ-759 5 E D A ZOOOOOM 1D03 05
LSJ-759 5 E E A ZOOOOOM 1D03 OS
LS-95&A E2H11543462OOO0 tlC
LS-965A E2H115434620000 tlC
US-955A E2H1Î5434620000 tlC
LS-966A E2H115434620000 tlC
US-96&A E2H115434620000 5-1C
LS-965A E2H115434620000 tlC
US-966A E2H1Î543462OOO0 tlC
LS-966A E2H115434620000 S-.-C
US-96&A E2H115434620000 5-1C
LS-955A E2H115434620000 tlC
US-966A E2H1Î543462OOO0 S-lC
LS-966A E2H115434620000 S-.-C
LS-96&A E2H115434620000 tic
LS-965A E2H115434620OOO S-lC
US-966A E2H11543462OOO0 S-lC
LS-966A E2H115434620000 s-.-c
LS-96&A E2H115434620000 tic
LS-96&A E2H115434620000 tic
US-966A E2H11543462OOO0 tic

m

Average: 10060205,58

ttDaysSei



F

**------^

TOP SECRET//SI//REL USA, FVEY

Issues

1-3

TOP SECRET//SI//NOFORN

Issues

Questions

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh