Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
1 Overview
Netman is a persistence module that uses the Windows Network Connections
Manager Service to persist a payload. When a payload is chosen to use this
module, Netman will install a stub into the service and deploy the payload to the
target.
Netman supports 32- and 64-bit EXE, DLL, and GH1 payloads. The bitness of the
stub and DLL, GH1 payloads must match the target OS. A 32-bit EXE payload may
be installed on a 64-bit target, but not vice versa.
2 Installation
Netman uses direct registry modification to register a stub DLL as a Startup DLL for
the Network Connection Manager Service. If the module fails to install the payload,
it will delete any deployed components and remove the registry modifications.
Netman can be configured to start the payload immediately by restarting the
Network Connections Manager Service using sc stop and sc start.
2.1 Configuration
The following fields are configured at build time to specify Netman's installation
behavior.
Field Default Description
Startup Name None Overt key value for Netman Startup DLL Stub stored in
registry
Startup DLL
Path
None Path to Netman Startup DLL on target
If the path does not exist, it is created.
Payload Path None Path to Payload on target, executed by Startup DLL
If the path does not exist, it is created.
Start Now True Whether the payload should be started immediately
3 Payload Execution
Whenever the system starts, the Network Connections Manager Service loads a
series of startup DLLs specified by a list in the registry. When the Netman stub is
loaded and executed by the service, it will inject itself into the netsvcs svchost
process. The injected stub will then start the payload. Netman supports three kinds
of payload: EXE, DLL, GH1.
3.1 EXE and DLL
If the payload is an EXE or DLL, the stub is configured with the path to the payload.
Once the stub is injected into the netsvcs svchost process, Netman will run the
payload.
If the payload is an EXE, the Netman stub will execute it with SYSTEM privileges and
terminate. If the payload is a DLL the stub will call LoadLibrary() and begin
monitoring the payload.
3
SECRET//ORCON//NOFORN