Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
3. Delete the stub and payload executables from the filesystem.
del /F <SERVICE_PATH> <PAYLOAD_PATH>
Autonomous
Option 1: The autonomous uninstall procedure consists of the following steps:
1. Delete the payload from the filesystem while the stub is running.
When the stub detects that the payload has been deleted, it will execute the
autonomous uninstall. The stub checks for the payload every 10 seconds. The
autonomous uninstall will perform the following steps:
1. Remove the service proxy from the Windows registry and return entry to
original state.
2. Delete itself from the filesystem.
Option 2: Killfile was configured.
1. Create killfile path on file system.
When the stub detects that the killfile exists, it will execute the autonomous
uninstall. The stub checks for the killfile every 40 seconds. The autonomous
uninstall will perform the following steps:
3. Remove the service proxy from the Windows registry and return entry to
original state.
4. Delete itself from the filesystem.
3 Footprint
File System
- Service Stub Executable, located at a user specified location <STUB_PATH>
- Service Stub Directory, may have been created
- Payload Executable, located at <STUB_PATH>cpl.{exe|dll}
- Payload Directory, may have been created
Registry Keys
Modified
- HKLM\SYSTEM\CurrentControlSet\Services\<PROXIED_SERVICE_NAME>\Parameters
Modified (during hijack)
- HKLM\SYSTEM\CurrentControlSet\Services\<HIJACKED_SERVICE>\Parameters\ServiceDll
- HKLM\SYSTEM\CurrentControlSet\Services\<HIJACKED_SERVICE>\Parameters\ServiceDll
UnloadOnStop
Testing Observation
During automated testing on some Kaspersky boxes, and when the service path
was configured to a file in window/temp, and the LanmanServer service was the
service proxied a popup would occur identifying the grasshopper as a Trojan.
This did not occur for other service paths or services. If the temp path was
needed for the service the -d/--disallowed parameter could be used to prevent
LanmanServer usage.
4
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh