]HackingTeam[ KnowledgeBase Product
Search:     Advanced search

Scout: how does it work?

Article ID: 213
Last updated: 28 May, 2015

Installation requirements

  • Do not install the operating system on a VMWare or VirtualBox virtual machine.
  • There be must no other Scout, Soldier or Elite instance on the PC.

Available modules

  • DeviceInfo (it cannot be disabled from the console). It returns:
    • installed operating system version;
    • CPU architecture (32 or 64 bit);
    • RAM (used and installed);
    • installed applications;
    • info about the user logged in;
    • info about local date/hours.
  • Screenshot. It returns:
    • a Desktop screenshot.


When a computer is infected, the Scout executable file is copied (after about 15 seconds) to the Windows autostart folder. The silent installer that infected the PC stays in RAM until the next system reboot/logoff and synchronizes with the server, sending the collected data. When is loaded into memory, the Scout checks if:

  • the operating system is running in a Virtual Machine (VMWare or VirtualBox);
  • the PC is running an Elite instance;
  • the PC is running a Soldier instance.

If the PC is running an Elite instance and the Scout executable file was run from the Windows Startup folder, the Scout executable file is deleted from the PC; in all other cases the process ends without further actions.

The Scout agent deals with:

  • acquiring system data (DeviceInfo) and saving a desktop screenshot. The screenshot module is active only if it was enabled in the Console, during the factory building process;

!!! ⇒ The system data are sent only once for each Scout execution, whereas the screenshots are sent periodically.

  • synchronizing with the server to send the collected data;
  • receiving commands or updates from the server.

Synchronisation with the server

When the Scout process is run, after the initial control procedures it waits for 5 minutes without performing any task. After 5 minutes, the process starts again at the first user activity detected (input from keyboard or mouse). Subsequently it creates the synchronization thread that deals with exchanging data with the server; if the server sent to Elite or Soldier an upgrade command, the Scout instance is updated.

Synchronization occurs every 20 minutes if the previous synchronization was successful; otherwise every 5 minutes a new connection attempt is done.

!!! ⇒ The synchronization timers cannot be edited by console.

Synchronization timers overview

  • After 5 minutes since the application starts, plus any time of user inactivity (no input from the mouse or keyboard).
  • After 20 minutes since previous successful synchronization.
  • After 5 minutes since previous failed synchronization.

How to test the agent

Consider this recap as the starting point for all your tests. We're always referring to the first stage of the agent (Scout), using a silent installer. Remember that silent installer should never be sent to the target as is, but one of your field operators must run it directly on the target computer:

  1. prepare a clean system with no other agent installed;
  2. double-click on the silent installer;
  3. wait until the end of the agent installation (30 seconds should be enough).

At this point you can leave the session open, log off or even restart the machine; the agent will run and will restart at every user login.

In order to troubleshoot if the process is running, consider that:

  • the task manager shows the process with the original name (that obviously can be changed as you wish) until the first logoff/reboot;
  • the task manager shows the process with the disguised name for all the following sessions.

Every time the agent is started (directly or automatically), the first synchronization happens if:

  • the agent is running (check via task manager);
  • you wait for at least 5/6 minutes (with or without user interaction);
  • you interact with the system pressing keys or moving the mouse;
  • the target computer can reach the IP address configured during the agent build.

After that, other synchronizations occur every 20 minutes.

A recap to some common concerns:

  • the 5 minutes interval and the user interaction are in place in order to allow the agent to avoid AV software detection;
  • if you want to delete the silent installer, you can just log off, log on again and then delete it, otherwise you should use another vector like the self-deleting executable;
  • the agent will not run on virtual machines, it is the standard behaviour from the beginning of the product. If you succeeded in running it on a VM it was probably because the agent wasn't able to recognize it;
  • rebooting before the agent ends its installation (30 seconds max) is not a common scenario, because the silent installer must be used only by your field operator and he can be instructed to wait enough;
  • the scout is just an "explorer" that checks if the system can be safely infected with the other stages, so it is not intended to collect relevant data from the target machine.

Article ID: 213
Last updated: 28 May, 2015
Revision: 8
document Public
Views: 3
Comments: 0
This article was:   Helpful | Not helpful
Also listed in
folder Procedures -> Agents

Prev   Next
Offline infection requirements     Android