Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
________________________________________________________________________
3. (S//NF) Athena/Hera Concept of Operation (CONOP)
Figure 1 – (S//NF) Athena/Hera Concept of Operation
(S//NF) Figure 1 depicts the Athena Concept of Operation. The Athena/Hera system consists of a
Builder, Tasker, Parser, Listening Post, Installer, ramonly and offline capabilities.
(S//NF) The operator uses the Builder (builder.py) to tailor an implant for the specific
operational scenario. The operator then deploys the configured implant (Installer) on a target
computer.
(S//NF) Once activated, the Installer will modify the target registry and drop the host file
(IprCache.dll default) and data file (ras.cache default) in their specified locations. The
installation tool will restart the RemoteAccess service and launch the Athena Engine in the
netsvcs svchost.exe process. The installed tool will beacon to the Listening Post (LP) to receive
tasking.
(S//NF) The system also allows the Operator to configure certain behavior of the tool at runtime
during beacon events. The Tasker (tasker.py) is used to task the implant. The Parser
(parser.py) is used to decode the results retrieved from the Listening Post.
Note
(S//NF) The Installer must be executed as an Administrator
or any other user account with permissions to start/stop
services, modify the registry and write to the system32
directory/subdirectories.
SECRET//NOFORN 2