Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
17
SECRET//NOFORN
4) You should now see rundll32.exe running in the task manager and the elsa dll
running using the tasklist /m <dll name> command
5.4 (S) AppInit Mode Installation
(S) In AppInit mode the tool is added to the registry AppInit_DLLs key. Many processes
check this key and automatically load whatever dlls are listed there. Elsa is configured to
verify which process is trying to load it, and only complete loading when the desired
process is found. The AppInit mode results in the tool being injected into a legitimate
Windows process which can reduce its profile in the task manager.
(S) The Microsoft whitepaper, “AppInit DLLs in Windows 7 and Windows Server 2008
R2” gives a good description of the recent changes to AppInit DLLs. Specifically, these
DLLs can require signing with valid certificates. In Windows 7 this is turned off by
default and on Windows Server 2008 R2 this is turned on by default. In Windows 2000
SP4, the AppInit technique is not supported. In Windows 8, AppInit is disabled when
secure boot is enabled. In these scenarios using an alternate installation mode is
recommended.
(S) The ‘LoadAppInit_DLLs’ value must be set to 1 to turn on AppInit behavior in
Windows. The AppInit_DLLs registry value is located in the
HKEY_LOCAL_MACHINE hive at the ‘\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows’ subkey. Add it to the AppInit_DLL registry value. If
another dll appears at that location use a space or comma as a delimiter to append the
short file name for the client DLL to the entry. If the “RequireSignedAppInit_DLLs” is
set to 1 then Windows is configured to run signed AppInit DLLs. The DLL must either
be signed or this setting must be turned off.
Figure 13 - (S) RegEdit Installation
(S) The REG Windows utility can be used to install the client. As the key is part of
HKLM, this operation requires elevated Administrator privileges and should be done at