Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Athena Progress – October 27, 2015 – 11:30am
Minutes:
1) No meeting – continuing integration
Achievements:
1) TestEngineLoop – hibernate/bootdelay/beacon/change notification/uninstall
2) TestEngineExport – failing with 700 – change path to %TEMP% - no win10 priv.
escalation
3) Added signing to tasker and parser COMM -
Athena_Crypto_Comm
4) Persistence - Win7 / XP testing
a. Dnscache =XP
i. copy dnssrslvr.dll and our host dnsapi.dll into
system32\shellext\*
b. Dnscache >Vista
i. Copy dnsclext.dll to system32\codeintegrity\dns.cache
c. Dnscache – Runtime Proceedure
i. stage1 - stop dnscache
ii. stage1 - create new netsrvc2 host (run as LocalSystem)
iii. stage1 - start dnscache
iv. stage2 - insert dnscache into netsrvc for next reboot
5) memunload – return address (account for nickname)
6) completed command feature - demo
Tasks under development:
1) Testing command integration with engine – XXXXX & XXXXX
2) setup Squid/help on proxy settings – XXXXX
3) offline lin/win installers – XXXXX
4) install & uninstall for XP / win7 - XXXXX
5) bamboo & dart configuration – XXXXX
6) Review Requirements
7) Dart Testing – XXXXX or XXXXX
Issues:
1) Should we include offset when retrieving a file(currently this is not a
requirement)?
2) When enumerating through the DNS list(currently common separated), the
specific entries are hierarchical should this be changed to RANDOM?
3) Currently, if the beacon fails, the code will attempt to retrieve the proxy
settings and store any retrieved proxy in dynamic storage. Future beacon will
use the cache to attempt to beacon first. The act of querying the proxy may
be “noisy”. Should we include an “ALLOW PROXY” build setting?