Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
Boot Persistence
This persistence method is using the idea that services of interest load support dlls during
runtime based on the values stored in the registry. The service host does not necessarily
validate the dll that it is calling. This is the flaw that we will be utilizing for the Athena
persistence. One restriction is that the DNS service must be set to automatic (startup type) in
the SCM. By utilizing this host, our dll will be running as Network Service in the context of
System and be granted all privileges associated with this configuration. By default, this means
the Athena DLL will have full access to outbound IP ports without changing firewall settings.
This technique was chosen because it provides a minimal cross section of detection because
no changes are required to the SCM(services) or firewall settings. There is one change in the
DNS parameters registry key and two files stored to disk.
Hijack DNS srvhost:
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\extension
%SystemRoot%\System32\Microsoft\Crypto\DNS\dnsclext.dll
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ImagePath
%SystemRoot%\system32\svchost.exe -k netsvcs
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ObjectName
LocalSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Svchost
netsvcs – insert dnscache
Target: %SystemRoot%\System32\Microsoft\Crypto\DNS\dnsclext.dll
Data: %SystemRoot%\System32\codeintegrity\dns.cache
Legacy srvhost: (if extension does not exist)
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\ServiceDll
%SystemRoot%\System32\ShellExt\dnsrslvr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ImagePath
%SystemRoot%\system32\svchost.exe -k netsvcs
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\ObjectName
LocalSystem
Target: %SystemRoot%\System32\ShellExt\dnsapi.dll
Main: %SystemRoot%\System32\ShellExt\dnsrslvr.dll (copy original)
Data: %SystemRoot%\System32\codeintegrity\dns.cache