Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
1 Overview
Buffalo and Bamboo are related persistence modules that use hosted DLLs inside a
Windows Service to persist a payload. Bamboo additionally uses “service hijacking”
to run immediately on installation while Buffalo will require a reboot. When a
payload is chosen that uses either Buffalo or Bermuda, the module will install a stub
service DLL and deploy the payload to the target.
Both Buffalo and Bamboo support 32- and 64-bit EXE, DLL, and GH1 payloads. The
bitness of the stub and DLL, GH1 payloads must match the target OS. A 32-bit EXE
payload may be installed on a 64-bit target, but not vice versa.
2 Installation
Buffalo and Bamboo use direct registry modification to register a stub as a service
DLL in the netsvcs service host. If the module fails to install the payload, it will
delete any deployed components and remove the registry modifications.
Bamboo will use a service hijacking technique to run the payload immediately after
installation (see section on Service Hijacking).
2.1 Configuration
Field
Defaul
t
Description
Service Name None Overt key value for service stored in registry
Service DLL
Path
None Path to service DLL Stub on target
If the path does not exist, it is created.
Payload Path None Path to Payload on target, executed by service DLL
If the path does not exist, it is created.
Display Name None Overt name of service displayed by Windows Services
MMC
Description None Overt description of service displayed by Windows
Services MMC
Unhijack DLL
Path
None Path to temporary storage of unhijacking DLL
(Bamboo Only)
2.2 Service Hijacking
After a service DLL is installed, it is unable to start before a reboot. A technique to
start a service DLL immediately after installation is called service hijacking. In this
method, an existing, but not currently running, service is temporarily hijacked to run
our own stub, then reset after the stub has started.
Service hijacking begins by identifying a service DLL entry that is manual start (not
automatically started on boot) and is not currently running. Registry values for the
identified service are redirected to our own service DLL. When we start the hijacked
service, Windows will load our own service DLL. After our service DLL is started, the
registry values for the hijacked service are restored.
3
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh