Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
1 Overview
Scrub is a persistence module that uses a Windows registry run key to persist a
payload. When a payload is chosen to use this module, Scrub will install a run key
and deploy the payload and (if needed) stub executable to the target.
Scrub supports 32- and 64- bit EXE, DLL, and GH1 payloads. A 32-bit Scrub stub
and payload may be installed on a 64-bit machine, but not vice versa.
2 Installation
Scrub uses direct registry modifications to create a run key in the Windows registry.
The run key is used to run an executable (payload or stub) at user login. If the
module fails to install the payload, it will delete any deployed components and
remove the registry modifications.
2.1 Configuration
The following fields are configured at build time to specify Scrub's installation
behavior.
Field
Defau
lt
Description
Payload Path None Path to payload EXE or DLL on target; not used for GH1
payloads
If the path does not exist, it is created.
Startup EXE
Path
None Path to stub EXE on target installed with run key; not
used for EXE payloads
If the path does not exist, it is created.
Start Now True Whether the payload should be started immediately
3 Payload Execution
Whenever a user logs in, the Windows OS will run all executables listed in the
registry under the run key with that user's privileges. What executable is registered
and how it behaves depends on the payload type. Scrub supports three kinds of
payload: EXE, DLL, GH1.
3.1 EXE
If the payload is an EXE, Scrub installs the run key for payload executable. The
Windows OS will start the payload directly, optionally passing command line
arguments.
An EXE payload is responsible for deleting itself from the target. The run key will
not be removed.
3.2 DLL
If the payload is a DLL, Scrub deploys a stub as the run key executable. During
installation, the stub is configured with the path to the payload. Upon execution by
the Windows OS, the stub will load the payload DLL.
3
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh