Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

ag9603 userguide SECRET Engineering Development Group U AG User's Manual Rev af mainrepo AG UserGuide SECRET of CSECRET af mainrepo AG UserGuide SECRET of CSECRET Table of contents U Introduction S Implant Forensics S Implant Operation U AG Installer S In

SECRET Engineering Development Group U AG User's Manual Rev af mainrepo AG UserGuide SECRET of CSECRET af mainrepo AG UserGuide SECRET of CSECRET Table of contents U Introduction S Implant Forensics S Implant Operation U AG Installer S Installing BadMFS S Installing AG inst transitory ?le S Adding a File To The Covert File System add transitory ?le S Sub-options for -bin S Limitations for binary ?les S Deleting a ?le from the covert ?le system del transitory ?le S Listing the contents of the covert ?le system list transitory ?le S Getting the log ?le from covert store get transitory ?le S Uninstalling AG uninst transitory ?le S Finalizing a transitory ?le U Operational Notes S Using AG To Start Drivers S Using AG To Start Executables S OS Compatibility List U Known Issues Issue Cause Remediation Issue Cause Remediation U Installer Error Conditions Table S AG Installer Error Codes Error Error Code Description Error Error Code Description af mainrepo AG UserGuide SECRET of CSECRET U Introduction TS AG is an implant comprised of components Solartime Wolfcreek Keystone BadMFS and the Windows Transitory File system Solartime modi ?es the partition boot sector to load some kernel code That kernel code then modi ?es the Windows boot process so that when Windows loads boot time device drivers an implant device driver can be loaded The implant driver and Solartime boot code aside from the partition boot sector modi ?cations are kept in a small userspeci ?ed ?le on disk This ?le is encrypted Wolfcreek is the kernel code that Solartime executes Wolfcreek is a self- loading driver that once executed can load other drivers and user-mode applications Keystone is responsible for starting user applications Any application started by MW is done without the implant ever being dropped to the ?le system In other words a process is created and the implant is loaded directly into memory Currently all processes will be created as svchost When viewed in task manager or another process viewing tool all properties of the process will be consistent with a real instance of svchost exe including image path and parent process Furthermore since the implant code never touches the ?le system aside from the possibility of paging there is very little forensic evidence that the process was ever ran BadMFS is a covert ?le system that is created at the end of the active partition It is used to store all drivers and implants that Wolfcreek will start All ?les are both encrypted and obfuscated to avoid string or PE header scanning The Windows Transitory File system is the new method of installing AG Rather than lay independent components on disk the system allows an operator to create transitory ?les for speci ?c actions including installation adding ?les to AG removing ?les from AG etc Transitory ?les are added to the UserInstallApp both the exe or dll versions S Implant Forensics S AG has a small forensic footprint af mainrepo AG UserGuide SECRET of CSECRET S