Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1 Concept of Operations
An operator uses Grasshopper to build a custom installation executable, execute
that installation executable on a target computer, and (optionally) decode the
results of that execution.
Build
An operator uses the Grasshopper builder to construct a custom installation
executable.
The operator configures an installation executable to install one or more payloads
using a variety of techniques. Each payload installer is built from individually
configured components that implement part of the installation procedure.
The operator may designate that installation is contingent on the evaluation of the
target environment. Target conditions are described using a custom rule language.
The operator may configure the tool to output a log file during execution for later
exfiltration.
Execute
An operator runs the installation executable on a target computer running a
Microsoft Windows operating system. The installation executable should be loaded
into and executed solely within memory.
The operator is responsible for selecting the appropriate method for gaining on-
target execution for the configured Grasshopper tool.
If the executable has output a log file, the operator collects it from the filesystem for
later analysis.
Decode
An operator decodes the runtime-generated log file to evaluate detailed execution
results.
The execution log stores result codes from each installer component and facts
evaluated as part of the target environment validation process.
7
SECRET//NOFORN