Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
PIR Question/Answer
4.5.1.2/4.5.2.2 – does incremental file upload mean that there is a max upload size per
beacon? Or is this simply an ability to restart where it left off.
This means chunking
4.5.1.7&8 – non blocking exfil – does this mean we should support multiple file/command
transfer threads/connections on target (alternatively, a single thread/connection would mean
blocking?)
THIS MEANS MULTITHREADED – MULTI-COMMANDS SIMULTANEOUSLY
4.10.2.3 – can we harvest the proxy credentials during install?
Just address and port of base or do we also need to drill down to advanced settings
within IE?
YES – but also use system get current proxy credentials from logged on user.
4.10.2.6 – can we harvest the user agent string during install?
YES – but also use system get current user agent strings from logged on user
4.10.7.5 – is asymmetric the right word here – meaning RSA instead of AES 256
SYNC is correct – use AES 256
4.13.1.1.1 – if we are running as system does Athena still need to support launching as the
current user or can we only support this when run within a user context? Only support running
as user context when run
No – but this could be supported when run in a user context.
4.13.1.1.2 – The dynamic loading of a static/non-dynamic exe is problematic in the address
space of the existing host application. If the exe is dynamic, it may still fail depending on
import dependencies. This requirement cannot be performed without restricting the exe to
ones that have been tested with the framework. My initial guess is that there would be a very
small number of off-the-shelf tools that would work. (NOTE: I have tested psexec.exe and this
tool would fail without creating an application execution virtualization environment custom to
the executable in question.)
DLL only