Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//FOUO
Questions
4.5.1.2/4.5.2.2 – does incremental file upload mean that there is a max upload size
per beacon? Or is this simply an ability to restart where it left off.
4.5.1.7&8 – non blocking exfil – does this mean we should support multiple
file/command transfer threads/connections on target (alternatively, a single
thread/connection would mean blocking?)
4.10.2.3 – can we harvest the proxy credentials during install?
Just address and port of base or do we also need to drill down to advanced
settings within IE?
4.10.2.6 – can we harvest the user agent string during install?
4.10.7.5 – is asymmetric the right word here – meaning RSA instead of AES 256
4.13.1.1.1 – if we are running as system does Athena still need to support launching
as the current user
or can we only support this when run within a user context?
4.13.1.1.2 – The dynamic loading of a static/non-dynamic exe is problematic in the
address space of the
existing host application. If the exe is dynamic, it may still fail depending on
import
dependencies. This requirement cannot be performed without restricting the
exe to ones that
have been tested with the framework. My initial guess is that there would be
a very small
number of off-the-shelf tools that would work. (NOTE: I have tested
psexec.exe and this tool
would fail without creating an application execution virtualization
environment custom to the
executable in question.)
4.13.2.1 – does this mean we need to create the following deliverables
installer.exe/installer.dll/installer.bin
run.exe/run.dll/run.bin – non persistent (everything occurs in ram)
4.16.6 – can we use UTF8 internally (python) and convert this to unicode/expanded
on target?
4.17.1 – can we use python bottle (Apache supported WSGI framework) instead of
CGI on linux lp?
4.19 – Does this mean you want 4 deliverables (which linux distro?)
offline_win_x86.exe/offline_win_x64.exe/offline_linux_x86/offline_linux_x64
4.19.1 – Note: we will not be able to support encrypted or bios locked systems.
4.19.2.1 – can we use Bart PE? Will customer give us a Windows Server 2003
Standard Edition or Win XP
SP3 installation disk to use for hosting the PE image? (licensing issue)
4.19.2.2 – what linux OS(Ubuntu/Centos) did you want us to target? Can we use
tinycore (10BM)?
4.19.2.2 – will customer be supplying a windows registry library for linux or do we
use hivexsh, etc.?
Command Question:
What is the idea behind of pre/post execution delay – instead of just an inter-
command delay?
Exec:
UNCLASSIFIED//FOUO