DerStarke_v1_4_DOC

SECRET//NOFORN

Der Starke 1.4 Companion User Guide

DESCRIPTION

Der Starke is a diskless, EFI-persistent version of Triton. Once active on a target system, the implant executed within diskarbitrationd and typically performs network communications through a browser process so that PSPs like Little Snitch cannot easily detect it’s presence. This Companion User Guide is meant to supplement the Triton User Guide.

SYSTEM REQUIREMENTS

Mac OS X 10.7+

fdisk

BUILD INSTRUCTIONS

Run tar -zxf DerStarkeBuilder.tar.gz

config.plist

Run derstarke_builder.pyz -c config.plist

After building, a directory called DerStarkeDeployment_XXXX will be created; The following notable files will be present:

dmconfig………………………configuration information

TRITON-XXXX/…………………..Triton-related build files

originalConfig.plist……………The build config

mkusb.sh………………………Script to create a USB drive with the disk image from this build

InstallImageFortargetID.iso……..Disk image containing implant installer

tasking.

INSTALLATION INSTRUCTIONS

media

1. Insert a USB device to be formatted

4. Confirm that the USB device contains the following files:

1. /EFI/BOOT/BOOTX64.EFI

2. /S.efi

3. /VI.efi

USB device

system

device

4. Hold the power button for 10 seconds

5. Immediately hold down the option key after the system turns on

7. For MacBook Air 6,x and MacBook Pros 11,x, a special unlock driver will need to be loaded

Installer will automatically detect and load the driver, and the following text should appear:

2. Afer the machine reboot, the flash will be unlocked

9. If the screen says FAILURE start over, and be sure that the power button is held for

10 seconds

10. Once the installation is complete, the system will turn off, and a receipt may have been recorded to the USB device

11. If installing from a CD instead of a USB device, one more boot, while holding option may be necessary to remove the CD

CONFIG.PLIST PARAMETERS

TRITON OPTIONS

Target ID: A number used to identify and manage the implant’s files and keys

Listening Post: The URL of the CGI script to which the implant will beacon

Minimum Beacon Interval: The minimum number of seconds between beacon attempts. Random jitter may increase any given beacon interval by up to 33% of the specified value.

Check URLs: A list of HTTP URLS that will be used to verify Internet connectivity before communication with an LP is attempted. A random URL is selected from this list during each beacon. It must return HTTP 200 in order for a beacon to occur.

Network Injection Target: Processes into which the implant may inject it’s networking bundle. The process list is scanned in the order specified. The first process found is used until it exits.

deployments.

Full Authentication: Indicates whether or not the implant should use a fully authenticated SSL connection to the LP

(optional): A domain name that will be queried when the implant uninstalls.

(optional): The number of seconds the tool waits for a successful beacon before deciding to uninstall. The start of the wait time is either the first time Triton is injected into OSX, or the last successful beacon.

EFI OPTIONS

Hibernation

Period and Hibernation Date cannot both be set.

Hibernation Date: The UTC date after which Triton will be injected into diskarbitrationd during boot. Note that Hibernation Period and Hibernation Date cannot both be set.

Uninstall Date: The UTC date after which a system reboot will cause the implant to uninstall or deactivate

Triton portion of the implant can fail load before the EFI portion uninstalls. Booting into an unsupported operating system and kernel panics increment the warning count

Patch Firmware: A flag indicating whether or not the firmware should be unlocked to allow the implant to be securely deleted during an uninstalled. If set false, the implant will only deactive during an uninstall. If set true, this can add 10-45 secs to installation time depending on laptop.

Make Receipt File: A flag indicating whether or not an installation receipt should be generated.

Patch PEI for update persistence: A flag indicating whether or not to reinject the implant during an OSX firmware update. This option will write two extra implants to firmware and can add 15-30 secs of installation time.

INSTALLER STATUS CODES AND MESSAGES

The installer may output the following status codes:

0x80000002 — Firmware Append Error

Error

Error

0x80000005 — Firmware Out of Space Error

Warning

0x40020000 — Receipt Warning: The receipt could not be written to the installation media

0x40040000 — PEI Find Warning: Unable to find PEI Core. Update persistence will not be enabled.

enabled

enabled

During Install the following message indicates the installer detected a machine that can be unlocked by holding the power butter for 10 secs:

• ERROR: TRIGGER NOT NEEDED

UNINSTALL COMMENTS

After an uninstall, the flash memory will be unlocked until an Apple firmware update is applied

Secure deletion of implant is performed on the first system reboot after an uninstall is triggered. It increases boot time by 30-60 seconds. Since BIOS/EFI will need to flush NVRAM every 40-60 boots, it is reasonable to ocassionally see boots that take a longer amount of time.

is held down or power is lost during a secure delete of the implant, MacBooks mid 2012 and newer have run length fields that prevent the laptop from bricking. Parts of the implant may still forensically exist in firmware, but only as partial encrypted blobs. On laptops older than mid 2012, there is a possiblity of a corrupt firmware, but it has also been observed that secure deletes take less time on older hardware.

BOOTCAMP COMMENTS

cause Der Starke to beacon several hours later than expected.

 


Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *