Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
The WebDAV transport mechanism is only supported on targets with Windows
2000 or later. The target machine must be running the WebClient service
which is off by default on Windows 2000 and Windows 2003 Server.
Upload Size Limit
The WebClient service has a file size limit set in its registry key,
HKLM\SYSTEM\CurrentControlSet\services\WebClient\Parameters\FileSizeLimitInBytes
. The default value for the key is 50 MB. The size limit only affects the upload
of files to the implanted target.
Drive Selection
The WebDAV transport will mount the listening post to the drive with the
largest available letter, less than or equal to ‘U’.
Temporary Directory
To separate the operation of the Implant from the WebClient service, the
WebDAV transport will copy upload and download files to and from a
temporary directory specified by the user at build time.
There is a small chance that the WebClient service will generate an error
message identifying the file in question. By operating out of a temporary
directory, these messages will not identify a file in any of the Assassin
directories.
Path Randomization
The WebDAV transport randomizes the share path used during Implant
communications, including both the share name and filename components.
The share name of the share path is randomized by selecting one of a set of
share names provided in the transport configuration. If no share components
are provided, a share name is randomly generated from between three and
eight alphanumeric characters.
The filename of the share path is an encoded string of at least sixteen
alphanumeric characters that is composed of the Implant ID and a nonce
used to obfuscate the ID.
41
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh