Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
________________________________________________________________________
File System Modification Location Configuration Item Description
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\
RouterManagers\\Ip
GlobalInfo= <BINARY DATA>
None
(Windows10 Only)
Used by RemoteAccess Service
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\
RouterManagers\\Ip
ProtocolId= 0x00000021
None
(Windows10 Only)
Used by RemoteAccess Service
4.2 (S//NF) Hera
(S//NF) Hera is a secondary implementation for Windows 8 through Windows 10. The output
receipt file will contain a special key <BRAVO>1</BRAVO> in the XML file. This
implementation uses the Dnscache service for persistence, BZIP2 for compression and AES 256
for encryption on disk.
4.2.1 ((S//NF) On-Target Footprint
(S//NF) The Hera implant is compliant with the NOD Persistence Specification for
persistent DLLs and provides its own persistence mechanism. Hera will be hosted
by the DNSClient service. There is an external DLL that this service will load that is
not a service DLL.
Table 4 - (U) Installed File and Registry Resources
File System Modification Location Configuration Item Description
%SystemRoot%\\System32\\
Microsoft\\Crypto\\DNS\\dnscache.dll
TARGET_FILENAME The overt target file location on disk
that is referenced by the Dnscache
service.
%SystemRoot%\\System32\\
CodeIntegrity\\dns.cache
DATA_FILENAME The overt data file location on disk that
contains the package file (config,
engine, etc.).
SYSTEM\CurrentControlSet\Services\
Dnscache
Start = 2
Type = 20
Parameters\extension This overt registry entry forces the
Dnscache service to load the target
DLL before loading the true support
DLL.
SYSTEM\CurrentControlSet\Services\
Dnscache
ImagePath %SystemRoot%\system32\svchost.exe
-k netsvcs
SYSTEM\CurrentControlSet\Services\
Dnscache
ObjectName LocalSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Svchost
Netsvcs Ensure that the dnscache service is
included on the list of netsvcs.
4.2.2 (U) Installation Notes
(S//NF) The installation will hijack the Dnscache service. On Windows 7 and 8, this service is
running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs
as NetworkService. The NetworkService user context has reduced security capability on the
system. Due to the srvhost implementation, the service will only run in the netsvcs context at
next reboot. To account for this deficiency and still provide immediate execution after
installation, the existing service will run as NetworkService until next reboot at which time the
System user netsvcs will be engaged.
SECRET//NOFORN 4

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh