Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
Issues & Concerns
The host DLL will not be signed. Due to copyright issues the host DLL will not have a publisher
name which may cause the DLL to stand out in both SysInternals SigCheck as well as
AutoRuns tool.
43. Sysinternals AutoRuns signature verification
SysInternals Tools AutoRuns provides an option (Services tab) to display the list of all services
that are registered on the system. These services include executable services and DLL based
services (hosted by SvcHost.exe) AutoRuns's default setting is to "Hide Windows Entries"
which causes AutoRuns to list only third party services, including ones from Microsoft that not a
part of the Windows OS. If the user/analyst were to enable the "Verify Code Signatures" and at
the same time uncheck "Hide Windows Entries" the host DLL (dnsclnt.dll) will be flagged as
"(Not Verified)". The following screenshots shows this feature of AutoRuns and is the impetus
behind selecting the DnsExt.dll instead of DnsRslvr.dll as the persistence mechanism.