Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
18
SECRET//NOFORN
an elevated prompt. The following commands turn on the Window’s AppInit flag and set
the path for the client DLL and can be used instead of the regedit GUI:
> reg add "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD
/d 1 /f
> reg add "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d
"C:\elsa.dll" /f
Figure 14 - (S) REG Installation Commands
Figure 15 - (S) AppInit Installation Example
(S) In AppInit mode, Windows attempts to load the DLL into every process loaded by
USER32. The tool relies on the TargetProcess setting to determine when to begin its
execution which also has the effect of controlling the tool’s life cycle. When loaded into
a process the tool creates a thread and begins its operation. If the process name does not
match then the tool is unloaded from that process. If multiple instances of the target
process are launched then the first process contains the tool. The tool created a global
event using the GUID configuation option to detect previously running instances. This
GUID signature can be changed by using the PATCHER tool.
(S) Some Anti-Virus (AV) suites such as Kaspersky and Rising protect critical system
process such as SERVICES.EXE and WINLOGON.EXE from AppInit dll injection.
These suites can allow injection for non-critical and 3
rd
party (non-Windows) processes.
Deploying ELSA to these systems require careful system survey, targeting, and/ or a
cover application for processes vulnerable to this type of injection.
(S) AppInit mode procedures can be useful in installing the tool when the run mode is not
AppInit. For example, the operator may elect to have ELSA run as a service dll but install
as an AppInit injected dll from inside the ‘calc.exe’ process. To do this the operator
would configure the SvcHost mode and set the InstallFromProcess option as described
below to target ‘calc.exe’.
6. (S) Persistence and Concealment