Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
10. Pre Build Batch File: These fields will allow you to put a bat script or
executable in to run before you build your ES Payload.
11. Post Build Batch File: These fields will allow you to put a bat script to run
to clean up your pre build process.
4.4 Deployment to Primary Host
Once the configuration file (*.cfg file), you will grab the appropriate ES Server(64).exe
program. If you are putting this tool on a 64 bit machine, you will want to grab ES
Server64.exe, else grab ES Server.exe. ES Server(64).exe has privilege escalation code in
it to allow it to run as System. By default you always try to run the program as Admin
because Emotional Simian needs to be at least admin or greater to write data back to the
covert partition. However, if you are unable to have admin privileges you will need to
put the appropriate version of ES Sever(64).exe on the Primary Target’s computer. Both
*.cfg files are identical, Emotional_Simian_Config.exe has just conveniently renamed
both to match the executable. ES Sever(64).cfg has to be the same name as ES
Server(64).exe. If you choose Blah.exe, then the .cfg file must be name Blah.cfg.
Once the program is started, ES Server(64).exe will load and rename the *.cfg file to *.ini
file. This is how you will know it is running correctly. If you ever need to put a new
*.cfg file down on target, ES Server(64).exe does not need to be shut down; just drop the
new *.cfg file down and wait at most 3 seconds. The old *.ini file will be deleted, and
the new *.cfg file will be loaded into ES Server(64).exe and renamed to *.ini. This will
be how you know the file was loaded correctly. The hash list of all whacked thumb
drives is stored in the *.ini file, so deleting this file will allow ES Server(64).exe to
rewhacked thumb drives it has already seen.
ES Server(64).exe will not overwrite any files. If you want to over write the Dlls or lnk
files you will need a program to clear those off. ES Server(64).exe was designed to be
not noticeable. If the target just happened to have a *.lnk file or *.dll of the same name
you choose it will be destroyed and overwritten.
4.5 Retrieval of Collected Files
If a white list drive that has a covert partition makes it back to the Primary Host, all data
files (Surveys, Directory listings, and/or File collections) will be placed in the folder
specified by the Collection Directory on Primary Host Target parameter in the
configuration program. After that, it is up to you as the operator to retrieve your files.
Once ES Server(64).exe has collected a file off the thumb drive, it is deleted off the
covert storage on the thumb drive to make room for more data.
22
SECRET//X1
CL BY: 2397517
REASON: 1.4(c)
DECL: 20361019
DRV: COL S-06