Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Group Policy Startup Script (PSEDStartupScript_LDGR - Ledger)
SECRET//NOFORN
OSB Library: Persistence Library
Module Name: PSEDStartupScript_LDGR - Ledger
Module Description: This module creates and edits HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\GroupPolicy and INI files under C:\Windows\System32\Group Policy\* to set a Startup Script. Startup Scripts run on boot and are often used for virus definition updates or
PSP/OS Issues: Windows 7+
('excerpt' missing)
Sharing Level: Unilateral
Technique Origin: In-house (Group Policy Objects can be set through gpedit.msc and are often used for virus definition updates, and mapping network drives for users)
Notes:
- When removing persistence, any command being persisted with the same command/argument pair will be deleted
- Works on Windows 7+
- Modifies registry and INI files in C:\Windows\System32\Group Policy
- When added to the list of Startup Scripts, the command is added to the end of the list
- When Startup Scripts are removed, any commands after the removed command get moved up (i.e. will maintain integrity of the script order)
- Always sets a Startup Script (no logon, logoff, or shutdown support)
- Supports installing from a 32-bit application on a 64-bit OS
Module Specific Structures:
static struct LEDGER
{
WCHAR *wcArgs; //The arguments to be passed to the executable
};
static struct LEDGER_REMOVE
{
WCHAR *wcTargetPath; //The command and arguments being persisted (will remove all entries matching the command and argument)
WCHAR *wcArgs;
};
Example Code:
IPersistence *pPersist = new PSEDStartupScript_LDGR();
//Setup argument structures
LEDGER lArgs;
lArgs.wcArgs = NULL;
LEDGER_REMOVE lRemove;
lRemove.wcArgs = wcParameters;
lRemove.wcTargetPath = wcCommand;
//Persist command
PersistErr pErr = pPersist->PersistPayload(wcCommand, &lArgs);
//Remove Persistence
pErr = pPersist->RemovePersistence(&lRemove);
delete pPersist;
SECRET//NOFORN