Assassin v1.3 Training

Similar documents
ASSASSIN v1.2 QUICK START

ASSASSIN v1.4 USER GUIDE

ASSASSIN v1.1 USER GUIDE

Engineering Development Group

BEAAquaLogic. Service Bus. MQ Transport User Guide

3.3 Audio Import Manager (AIM)

BEAAquaLogic. Service Bus. Native MQ Transport User Guide

GSS Administration and Troubleshooting

Perle Dial-Out User s Guide

Engineering Development Group

Data Acquisition Processor Service

(S) Engineering Development Group. (S) Pandemic V1.0 (U) Tool Documentation

Chapter 14: Files and Streams

(U) Hive Engineering Development Guide

Finding Support Information for Platforms and Cisco IOS Software Images

RTView Data Server SL Corporation. All Rights Reserved Sherrill-Lubinski Corporation. All Rights Reserved.

Tanium Protect User Guide. Version 1.9.3

Contact Software, Inc. Accelerated Development Team. UNITEDRAK E Manual

SOURCEFIRE 3D SYSTEM RELEASE NOTES

SonicWall SonicOS 5.9

HP-UX Software and Patching Management Using HP Server Automation

Release 2.11 Standard AXE Primary Firmware is not intended for use on any 8521 Controller not licensed as a RTU.

Maintenance Tasks CHAPTER

SaaSaMe Transport Workload Snapshot Export for. Alibaba Cloud

NET Control & NET User. User Manual. Rogev computers

Redirector User Guide

VMware Mirage Web Management Guide. VMware Mirage 5.9.1

VMware Mirage Web Manager Guide

Configuring Tap Aggregation and MPLS Stripping

Department of Electrical and Computer Systems Engineering

The Google File System (GFS)

DPtech IPS2000 Series Intrusion Prevention System User Configuration Guide v1.0

M2M GPRS Gateway Control Panel

ServiceDLL v1.2 Grasshopper Component User Guide

Cordex Controller Software v2.15

ISDN Console Setup Utility User s Guide

The Google File System

Configuring NetFlow. Information About NetFlow. Send document comments to CHAPTER

Full System Restore Manually Running Command Prompt Windows Xp

Real-Time Dashboard Integration Bomgar Remote Support

IBM Exam C IBM WebSphere Message Broker V8.0 System Administration Version: 6.0 [ Total Questions: 55 ]

Remote Device Mounting Service

SQLite Server - About

Batches and Commands. Overview CHAPTER

Scan Station 710/730 Release Notes:

Configuring NetFlow. NetFlow Overview

Maintenance Tasks CHAPTER

PROXY Pro Deployment Tool v10.0. User Guide October 2017

IMC Network Traffic Analyzer 7.2 (E0401P04) Copyright 2016 Hewlett Packard Enterprise Development LP

Protection! User Guide. A d m i n i s t r a t o r G u i d e. v L i c e n s i n g S e r v e r. Protect your investments with Protection!

SECRET//NOFORN. Dumbo v3.0 User Guide 25 June CL BY: DECL: 25X1; 25 June 2040 DRV: CIA NSCG MET S-06 SECRET//NOFORN

Dell SonicWALL SonicOS 5.9 Upgrade Guide

easyimport v2.5 Setup Guide

Sage 200 Extra 2015 Service Pack 2 Installation and Release Notes

Java EE 7: Back-End Server Application Development

READ CAREFULLY AND UNDERSTAND THE LIMITATIONS AND RESTRICTIONS DESCRIBED IN THE RELEASE NOTE BELOW BEFORE INSTALLING THE SOFTWARE.

RedundancyMaster PTC Inc. All Rights Reserved.

Source Control. Deployment. What usync Does. usync Versions

Getting Started Guide

Integration Client Guide

Backup and Restore System

3CX Mobile Device Manager

User Manual. DriveStation Power Saving Utility. v2.3

Manual. bintec elmeg GmbH. Manual. bintec elmeg Dime Manager. Copyright Version 1.3.8, 2013 bintec elmeg GmbH

Print Release Client. Deployment Guide PrinterOn Corporation

Virtual Services Container

Configuring OpenFlow 1

Quick Installation Guide Server and mass deployment to Clients. Auto Shutdown Manager Release 5

Client Installation and User's Guide

ServiceDLL v1.3 Grasshopper Component User Guide

User s Guide. Controller. Be sure to keep all user documentation handy for future reference.

Introduction to Process in Computing Systems SEEM

Cisco Unified Operating System Administration Web Interface

Page Replacement. 3/9/07 CSE 30341: Operating Systems Principles

Overview of QPM 4.1. What is QPM? CHAPTER

Cisco Unified Operating System Administration Web Interface for Cisco Emergency Responder

2017, IBM Corporation Liberty z/os Good Practices. WebSphere Liberty z/os Applications and Application Deployment

ID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:

SAS 9.2 Foundation Services. Administrator s Guide

10.2 Running process checklist Contacting TEMASOFT Support... 30

VMware Mirage Getting Started Guide

Provisioning the K1000 Agent

Operation Manual. for the. Data Logging Software. Version 7.1. (Isoft.xls)

Exam Name: Installing and Configuring Windows 10

Entrust. Discovery 2.4. Administration Guide. Document issue: 3.0. Date of issue: June 2014

Configuring Notifications for Cisco Unified MeetingPlace Express

Editing ITP MLR Address Table Files

Client Installation and User's Guide

CYAN SECURE WEB Installing on Windows

Adding Distribution Settings to a Job Profile (CLUI)

Memory Improve Master Free Version

StoneGate Management Center Release Notes for Version 4.2.1

Chapter 5. File and Memory Management

Performance Best Practices Paper for IBM Tivoli Directory Integrator v6.1 and v6.1.1

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

Network Management Software ALLNET Zone Controller

Release 3.0 Insights Storage Operation and Maintenance Guide. Revision: 1.0

NET Data Logger. Centre Software Guide UDP GSMS NET HV, NET THR HV NS828 H / H2 / HX / S / S2. Revision [v1.0.4c]

ScaleLink Pro USER GUIDE

OPERATING SYSTEMS ASSIGNMENT 3 MEMORY MANAGEMENT

Transcription:

Assassin v1.3 Training

Assassin General Information

Assassin Configuration Sets Running Current settings, only stored in memory All modifications to the configuration are made to the running configuration If changes are not explicitly persisted, they will be lost on restart Persistent Settings the implant will revert to upon startup Updated using the <persist_settings> command Factory Settings the implant had when it was built and originally deployed Can be reverted to using the <restore_defaults> command Stored as a patch in the implant binary and is never modified

Assassin Directories Input Directory tasking files are downloaded to and stored in until they can be processed Startup Directory tasking files designated for startup execution are moved to and processed whenever the Implant starts The directory may also contain a configuration file of the implant s persisted settings

Assassin Directories (cont d) Output Directory files are packaged and chunked for the upload queue to be transmitted during beacons Third-party tools may use this feature to forward files to the listening post Push Directory where files are packaged and uploaded immediately, ignoring the beacon interval and chunk size If unable to upload the file, it is placed, un-chunked, in the upload queue with priority status Third-party tools may use this feature to forward files to the listening post Staging Directory used to store the files in the upload queue Directory is reserved for Implant use

Deployment Executables Injection Launchers When the launcher runs, it drops an instance of the Implant DLL to the disk and injects it into an existing Windows SYSTEM process Carries an Implant DLL embedded as a resource, which it is responsible for deploying Injection Extractor Carries both the 32- and 64- bit Launchers as resources and runs the correct executable based on the operating system before self deleting

Deployment Executables (cont d) Service Installers When the launcher runs, it registers the Service DLL as a service that should be run by the netsvcs svchost on startup Carries an Implant Service DLL embedded as a resource, which it is responsible for deploying Service Extractor Carries both the 32- and 64- bit Implant Service DLLs and installs the appropriate Implant based on the operating system before self deleting

Implant Executables Provide the core functionality for the implant Can be run directly or through one of the Deployment Executables Includes five available types; DLL, Service DLL, EXE, ICE-DLL, and Pernicious ICE DLL Pernicious ICE is a NSA provided capability that defeats Deep Freeze

Assassin Tasking For Fun and Profit

Run Mode <run_mode> Combination of the letters described below: R the task will be run on receipt S the task will be run on implant startup P the task results will be immediately pushed to the LP on execution without chunking

Generate Batch generate_batch <run_mode> Task that combines one or more assassin commands into a single task. All embedded commands will be executed in sequence Any error during execution will stop the remaining batch commands from being executed A batch can be exported to XML for later use

File System Tasks get <run_mode> <r_file> [offset=0] [bytes=0] Get a file from the target machine put <run_mode> <l_file> <r_file> [offset=0] [bytes=0] Put a local file on the target machine file_walk <run_mode> <r_dir> <wildcard> <depth> [time_check= no_check ] [date] Walk the directories on the target, collecting information on files specified by the provided parameters get_walk <run_mode> <r_dir> <wildcard> <depth> [time_check= no_check ] [date] [offset=0] [bytes=0] Walk the directories on the target, collecting files specified by the provided parameters

File System Tasks (cont d) delete_file <run_mode> <r_file> Delete a file from the target delete_secure <run_mode> <r_file> Securely delete a file from the target. The file is overwritten with zeroes before being deleted

Program Execution Tasks execute_bg <run_mode> <r_file> [args= ] Execute a program on the target in the background. The implant will continue to operate. The standard output and return code of the program is ignored execute_fg <run_mode> <r_file> [args= ] Execute a program on the target in the foreground. The implant will wait for the program to exit. The standard output and return code of the program are captured and returned

DLL Memory Load load_faf_bg <run_mode> <dll_file_path> [args= ] Load the provided Fire and Forget V2. DLL into memory and based on its return value, either clear it from memory or leave it running load_ice_bg <run_mode> < dll_file_path > [args= ] [feature_set= ] Load the provided ICE V3 DLL into memory, and run it using the provided feature set. If the DLL only supports one feature set, that option will be used and the feature_set parameter is not required

Global Configuration Tasks persist_settings <run_mode> Save the current settings as the default configuration that will be loaded at implant startup. Configuration changes must be explicitly persisted, or they will revert on next startup restore_defaults <run_mode> <options> Change the running implant configuration to factory settings, any changes must be persisted in order to survive a reboot

Beacon Configuration Tasks set_beacon_params <run_mode> [initial=0] [default_int=0] [max_int=0] [factor=0.0] [jitter=0] Set one or more of the beacon parameters. Note that 0 indicates do not alter this value set_blacklist <run_mode> [programs=[]] [files=[]] Set the process blacklist set_whitelist <run_mode> [programs=[]] [files=[]] Set the process whitelist

Beacon Configuration Tasks (cont d) safety <run_mode> <seconds> Set the implant beacon interval during idle beacons. This task will not generate a result set_interval <run_mode> <seconds> Set the implant beacon interval. This task will not generate a result. The command is used by the safety command and is required by Collide.

Comms Configuration Tasks set_transport <run_mode> [xml_file=none] Set the communication transport configuration set_chunk_size <run_mode> <chunk_size> Set the chunk size to limit network traffic per beacon

Operation Window Configuration Tasks set_hibernate <run_mode> <seconds> Set the hibernate time in seconds after first execution. The implant will lie dormant until the hibernation period has passed set_uninstall_date <run_mode> <date> Set the uninstall date for the implant set_uninstall_timer <run_mode> <seconds> Set the uninstall timer to seconds from the time that the task is processed by the implant set_beacon_failure <run_mode> <count> Set the maximum number of sequential beacon failures that can occur before uninstalling

Maintenance Tasks get_status <run_mode> <status_mode> <options> Request the current implant configuration and status information clear_queue <run_mode> Clear all files from the implant upload queue. The clear_queue task will delete all files from the output, push, and staging directories on target. This may include file chunks that have been partially uploaded upload_all <run_mode> Upload all files currently in the upload queue. The upload_all task will upload all files in the output, push, and staging directories to the listening post as quickly as possible, ignoring the chunk size setting. unpersist <run_mode> Stop the implant persistence mechanism on the target uninstall <run_mode> Uninstall the implant from the target immediately

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback