Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
26
SECRET//NOFORN
V
olu
m
e in drive C is OS
Volume Serial Number is 16CB-523E
Directory of C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
06/13/2012 10:44 AM <DIR> .
06/13/2012 10:44 AM <DIR> ..
06/13/2012 09:09 AM 2,717 addtask.vbs
06/13/2012 10:33 AM 130 key.bin
06/13/2012 09:09 AM 116,224 patcher.exe
06/13/2012 09:09 AM 270,336 processor.exe
06/13/2012 09:09 AM 453 sha1-windows-images.txt
06/13/2012 10:44 AM 109,568 testx64g.dll
06/13/2012 09:09 AM 109,568 tool-x64.dll
06/13/2012 09:09 AM 86,016 tool-x86.dll
06/13/2012 10:44 AM 512 wizard.config
8 File(s) 806,919 bytes
2 Dir(s) 196,851,429,376 bytes free
Figure 23 - (S) Example PATCHER session
(S) On the target system proceed with the execution of the tool using the following
command. Note the command line is case sensitive for the DLL export string
’Control_RunDLL’.
> rundll32 testx64g.dll,Control_RunDLL
Figure 24 - (S) Example of start of ELSA collection module
(S) ELSA will begin monitoring wifi networks. It will wait until the first archive period
before writing the log file. In this example the archive will be update every 62 seconds.
The tool will wait for the startup and install delays to expire before collecting wifi
observations. As configured this will be 32 seconds. The operator can verify the tool is
running by observing the ‘%SystemRoot%\TEMP\elsag.data’ for file size changes.
Wireshark is useful for observing the HTTPS traffic as the tool queries google or
microsoft for geolocation coordinates. After several wifi survey intervals the operator
can connect and copy the collection file ‘%SystemRoot%\TEMP\elsag.data’ into a new
directory ‘outdir’ on the Operator Terminal and process it.
C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
> mkdir indir
C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
> mkdir outdir
C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
> processor.exe -k key.bin -i indir -o outdir
key : key.bin
input : indir
output : outdir
mask : (null)
processing 'indir\elsag.data' done
1 files processed.
C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows