Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
- HKLM\SYSTEM\CurrentControlSet\Services\<PROXIED_SERVICE_NAME>\Parameters
Modified (during hijack)
- HKLM\SYSTEM\CurrentControlSet\Services\<HIJACKED_SERVICE>\Parameters\ServiceDll
- HKLM\SYSTEM\CurrentControlSet\Services\<HIJACKED_SERVICE>\Parameters\ServiceDll
UnloadOnStop
Testing Observation
During automated testing on some Kaspersky boxes, and when the service path
was configured to a file in window/temp, and the LanmanServer service was the
service proxied a popup would occur identifying the grasshopper as a Trojan.
This did not occur for other service paths or services. If the temp path was
needed for the service the -d/--disallowed parameter could be used to prevent
LanmanServer usage.
5
SECRET//NOFORN