Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
________________________________________________________________________
Host: (user-configured domain beacon names)
Connection: keep-alive (default)
Cache-Control: private, no-cache, no-store, max-age=0\r\n (default)
Cookie: session-id= (default parent ID and generated child ID masked with a generated key)
5.3.3 (U) Data Formating
(S//NF) Before being sent back to the LP, the data undergoes the following transformations:
• Data hash is computed using zlib adler32
• Data is zlib compressed
• Data is RSA encrypted
• Data hash is appended to the data
• Data signed digest is appended to the data
• Masked parent and child ID are appended to the data
5.3.4 (U) Communications Settings
(S//NF) The connection logic to the LP takes into account the user configured proxy, IE
proxy, WPAP proxy, and direct connection. The CommMod will save and send back
to the LP any proxy information that was found for later use. The CommMod will use
the connection settings in the following order:
1. User configured Proxy settings
2. Direct Connection
3. IE previously saved Proxy settings
4. WPAD previously saved Proxy settings
5. Try the IE Proxy. If it is a new proxy setting then it will be saved for future use and sent back
to the LP.
6. Try the WPAD Proxy. If it is a new proxy setting then it will be saved for future use and sent
back to the LP.
6. (U) Builder
(S//NF) Some general usage comments are presented below:
• Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
• The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
• Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
6.1 (U) Usage
(S//NF) This section contains information for configuring an implant. Figure 9 below shows the
command line options for the Builder.
SECRET//NOFORN 11