Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
________________________________________________________________________
Host: (user-configured domain beacon names)
Connection: keep-alive (default)
Cache-Control: private, no-cache, no-store, max-age=0\r\n (default)
Cookie: session-id= (default parent ID and generated child ID masked with a generated key)
5.3.3 (U) Data Formating
(S//NF) Before being sent back to the LP, the data undergoes the following transformations:
Data hash is computed using zlib adler32
Data is zlib compressed
Data is RSA encrypted
Data hash is appended to the data
Data signed digest is appended to the data
Masked parent and child ID are appended to the data
5.3.4 (U) Communications Settings
(S//NF) The connection logic to the LP takes into account the user configured proxy, IE
proxy, WPAP proxy, and direct connection. The CommMod will save and send back
to the LP any proxy information that was found for later use. The CommMod will use
the connection settings in the following order:
1. User configured Proxy settings
2. Direct Connection
3. IE previously saved Proxy settings
4. WPAD previously saved Proxy settings
5. Try the IE Proxy. If it is a new proxy setting then it will be saved for future use and sent back
to the LP.
6. Try the WPAD Proxy. If it is a new proxy setting then it will be saved for future use and sent
back to the LP.
6. (U) Builder
(S//NF) Some general usage comments are presented below:
Any default value (e.g., [bracketed text]) is either randomly generated or a suggestion, and
their use on multiple operations without modification may present a signature that could
identify the presence of Athena in a network.
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
6.1 (U) Usage
(S//NF) This section contains information for configuring an implant. Figure 9 below shows the
command line options for the Builder.
SECRET//NOFORN 11

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh