Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

SECRET//20341105 af+mainrepo+00AG9603 UserGuide 1 of 15 SECRET//20341105 Engine

SECRET//20341105 af+mainrepo+00AG9603 UserGuide 1 of 15 SECRET//20341105 Engineering Development Group (U) 00AG9603 User's Manual Rev. 1.0 SECRET//20341105 af+mainrepo+00AG9603 UserGuide 2 of 15 SECRET//20341105 SECRET//20341105 af+mainrepo+00AG9603 UserGuide 3 of 15 SECRET//20341105 Table of contents 1. (U) Introduction ........................................................................................................ 4 2. (S) Implant Forensics................................................................................................ 4 3. (S) Implant Operation .............................................................................................. 6 3.1 (U) 00AG9603 Installer ....................................................................................... 6 3.2 (S) Installing BadMFS ......................................................................................... 7 3.3 (S) Installing 00AG9603 (inst transitory file) ...................................................... 7 3.4 (S) Adding a File To The Covert File System (add transitory file) ..................... 8 3.4.1 (S) Sub-options for -bin ................................................................................ 8 3.4.2 (S) Limitations for binary files ..................................................................... 9 3.5 (S) Deleting a file from the covert file system (del transitory file) ...................... 9 3.6 (S) Listing the contents of the covert file system (list transitory file) ................. 9 3.7 (S) Getting the log file from covert store (get transitory file) ............................ 10 3.8 (S) Uninstalling 00AG9603 (uninst transitory file) ........................................... 10 3.9 (S) Finalizing a transitory file ............................................................................ 10 4. (U) Operational Notes ............................................................................................. 10 4.1 (S) Using 00AG9603 To Start Drivers ............................................................... 10 4.2 (S) Using 00AG9603 To Start Executables ....................................................... 11 5. (S) OS Compatibility List ....................................................................................... 11 6. (U) Known Issues .................................................................................................... 11 Issue Cause Remediation ......................................................................................... 11 Issue Cause Remediation ......................................................................................... 12 7. (U) Installer Error Conditions ............................................................................... 14 Table (S) 00AG960 Installer Error Codes Error Error Code Description .................... 14 Error Error Code Description ................................................................................... 15 SECRET//20341105 af+mainrepo+00AG9603 UserGuide 4 of 15 SECRET//20341105 1. (U) Introduction (TS) 00AG9603 is an implant comprised of 5 components: Solartime, Wolfcreek, Keystone, BadMFS, and the Windows Transitory File system. Solartime modifies the partition boot sector to load some kernel code. That kernel code then modifies the Windows boot process so that when Windows loads boot time device drivers, an implant device driver can be loaded. The implant driver and Solartime boot code (aside from the partition boot sector modifications) are kept in a small user- specified file on disk. This file is encrypted. Wolfcreek is the kernel code that Solartime executes. Wolfcreek is a self-loading driver, that once executed, can load other drivers and user-mode applications. Keystone is responsible for starting user applications. Any application started by MW is done without the implant ever being dropped to the file system. In other words, a process is created and the implant is loaded directly into memory. Currently all processes will be created as svchost. When viewed in task manager (or another process viewing tool) all properties of the process will be consistent with a real instance of svchost.exe including image path and parent process. Furthermore, since the implant code never touches the file system (aside from the possibility of paging) there is very little forensic evidence that the process was ever ran. BadMFS is a covert file system that is created at the end of the active partition. It is used to store all drivers and implants that Wolfcreek will start. All files are both encrypted and obfuscated to avoid string or PE header scanning. The Windows Transitory File system is the new method of installing 00AG9603. Rather than lay independent components on disk, the system allows an operator to create transitory files for specific actions including installation, adding files to 00AG9603, removing files from 00AG9603, etc. Transitory files are added to the UserInstallApp (both the .exe or .dll versions). 2. (S) Implant Forensics (S) 00AG9603 has a small forensic footprint. Table:(S)00AG9603InstallerMD5Signature 00AG9603Installer MD5Sum UserInstallApp.exe(default name 1 ) UserInstallApp.dll(defaultname) tdbsip.sys(defaultname) xqlmi.dat(defaultname,pack SECRET//20341105 af+mainrepo+00AG9603 UserGuide 5 of 15 SECRET//20341105 1 (S) The user may rename the 00AG9603 Installer as necessary without impact to 00AG9603's operation. Table : (S) 00AG9603 Footprint Revision Forensic Entry Purpose Changeable File: encrypted container file Holds boot code Yes Boot Sector: partition boot sector modification Holds boot code No Registry key: Holds BadMFS No HKLM\System\CurrentControlSet\Control\Windows\ parameters SystemLookup Covert Store: BadMFS will create an encrypted Holds driver and No covert file system in the file specified in the zf file. user-mode Alternatively, the covert file system can be placed at implants the end of the active partition. file) wtpack.exe SECRET//20341105 af+mainrepo+00AG9603 UserGuide 6 of 15 SECRET//20341105 3. (S) Implant Operation 3.1 (U) 00AG9603 Installer (S) 00AG9603 now comes with two installer versions, both an executable and a fire- andcollect .dll installer. In order to install 00AG9603 on a target system, an operator must first create an “inst” transitory file via the wtpack executable. This transitory file must be finalized to the installation application of the operator’s choice. (S) Once an “inst” transitory has been finalized, the installation method then depends on which installer the operator has chosen to use. For the .exe installer, the installer should merely be run on the target machine with administrative privileges. The fire-and-collect installer should be loaded into an appropriate target process (i.e. one with administrative privileges). (S) 00AG9603 requires administrative privileges to use the either install mechanism. 3.1.1 (U) Wtpack usage (S) Both 00AG9603 install mechanisms lack command line options. Instead, all options are built through the creation of transitory files via the wtpack executable. Below are a list of wtpack.exe commands and options associated with those commands: (U) Wtpack commands Table:(S)wtpackcommands Commands Options Flags Purpose new ( inst|list|del|add|get| uninst)transitory_file_name none Creates a new transitory file. This transitoryfilecanbefor installation,listingfilesinthe covertstore,deletingfilesinthe covertstore,addingfilestothe covertstore,gettingthelogfile fromthecovertstore,or uninstallation. update transitory_file_name{flags} Updatesatransitoryfilewith additionalinformationrequiredto finalizeit. SpecifythelocationoftheBadMFS - bp(PathonTarget ) covertstorepartitionontarget.If thisoptionis“PhysicalDrive”, BadMFSwillbeusedintheslack spaceattheendofthedrive.N.B. certaindrivesdonothavesuch slackspaceattheend. Specifythelocationofthe - wd (file name ) wolfcreekdrivertoaddtothe transitory file. Specifythelocationofthesolartime - cp(PathonTarget ) containerpaththatwillbecreated ontarget.N.B.thispathcannot SECRET//20341105 af+mainrepo+00AG9603 UserGuide 7 of 15 SECRET//20341105 3.2 (S) Installing BadMFS (S) 00AG9603 uses the BadMFS covert file system to store many of the implants and data required to run. BadMFS has two options for installation, one using a specified file and the other using slack space at the end of a hard drive. Which option is used depends on what is specified under the –bp flag. To use the specified file option, an operator must give a complete path to a file that will hold the covert store on disk. To use the slack space option, the operator must specify “PhysicalDrive”. Note that many drives do not have such slack space, therefore installation under this method is not guaranteed. The maximum filesystem size for BadMFS is 200 MB. Once BadMFS is installed using the 00AG9603 installer, the location of BadMFS must be provided to any transitory file created. The location is specified with the –bp flag when building a transitory file. 3.3 (S) Installing 00AG9603 (inst transitory file) (S) To install 00AG9603, you must create and finalize an “inst” transitory file. This transitory file must include the BadMFS path on target (-bp), the wolfcreek driver (-wd), the solartime container path that will be created on target (-cp), and the solartime pack file (-st). Note that the container path (-cp) must not contain a drive letter, and it must be placed under \Windows folder (i.e. the path must be \Windows\...). Example creation of inst transitory file: wtpack.exe new inst “inst_transitory_file” wtpack.exe update “inst_transitory_file” –bp “BadMFS location” wtpack.exe update “inst_transitory_file” –wd “wolfcreek driver” wtpack.exe update “inst_transitory_file” –cp “solartime container file (created on target)” wtpack.exe update “inst_transitory_file” –st “solartime pack file” haveadriveletter.Italsomustbe under\Windows\folder. Thesolartimepackfile(xqlmi.dat) - st(filename ) tobeaddedtothetransitoryfile. ) - f(filename Filenametobedeletedfromthe covertstore. Addthespecifiedbinary(.exe,.dll, - bin(filename){sub-options } or.sys)tothetransitoryfile. print transitory_file_name none Printsasummaryofthecontentsof thetransitoryfile. finalize transitory_file_name{user installapplication} none Addsthespecifiedtransitoryfileas aresourcetothetargeteduser install application. SECRET//20341105 af+mainrepo+00AG9603 UserGuide 8 of 15 SECRET//20341105 3.4 (S) Adding a File To The Covert File System (add transitory file) (S) To add a file to the BadMFS covert file system, you must create an “add” transitory file. The file must be finalized to the installation binary, which will then be run on target. Whenever files are added to the covert file system, a 3 digit number is appended to the beginning of the file name to encode information about the file for internal 00AG9603 use. In the cases of .exe's, .dll’s, and .sys files, an additional file is also created (with a similar name) that contains the command line parameters to be passed to the .exe. To delete an .exe or .sys file, both of the files matching the implant name should be deleted. N.B. Multiple files can be added to an “add” transitory file. Example creation of add transitory file: wtpack.exe new add “add_transitory_file” wtpack.exe update “add_transitory_file” –bp “BadMFS location” wtpack.exe update “add_transitory_file” –bin “file to add” {sub-options} 3.4.1 (S) Sub-options for -bin (S) There are several sub-options for the –bin option to add a binary file to BadMFS. The following list contains all options available. N.B. While most of these are optional, some are required depending on the type of binary being added to the covert store. Sub-Option Potential Values Notes -execp persistent execution interval in minutes -execd delay for initial execution in seconds -execa absolute execution time Must be in UTC. Format of YYYY:MM:DD:HH:MM:SS -inject target process for .dll injection For .DLL only. Must be specified in that case. -dtype type for drivers (sys, auto, boot) For .SYS only. Default value is ‘auto’ -cmdline command line options Must be the last option. All uploads/Ingenierie_Lourd/ 00ag9603-userguide.pdf