Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
5
SECRET//NOFORN
but allow injection for non-critical and 3
rd
party (non-Windows) processes. Deploying
ELSA to these systems require careful system survey, targeting, and/ or cover application
for processes vulnerable to this type of injection.
(S) ELSA is able to run in several operational modes that offer flexibility as to its
appearance within the system. ELSA can be installed as a service running inside of
SvcHost, a scheduler task running inside of DllHost, a utility running inside of rundll32,
or as an AppInit Dll running inside of a specified process.
3.4 (U) Dll Installation
(S) The ELSA dll exports routines that can be used to install the tool using RegSvr32.exe
among other methods (see 'Deployment' below). In some AV environments these
installation routines can result in pop up messages. Signing the tool with certificates can
mitigate these messages. As an injectable dll the injection can also be used for the
installation process. See the InstallFromProcess section for more information on this
procedure.
(S) The 64 bit version of Windows contains two copies of RegSvr32.exe. The first is a 64
bit executable located in the C:\Windows\System32 directory and the second is a 32 bit
executable located in the C:\Windows\SysWOW64 directory. Deploying the 64 bit
version of the dll requires the 64 bit version of RegSvr32.
3.5 (U) Prerequisites
(S) The software system will only operate correctly if each component is executed within
the appropriate operating environment.
3.5.1 (U) Operator Terminal Requirements
(S) The operator terminal is designed to run on Windows 7.
3.5.2 (U) ELSA Requirements
(S) The ELSA implant may be executed on any of the following versions of Microsoft
Windows:
1. Windows 7 32 bit, 64 bit
3.6 (U) Equipment Familiarization
(S) An operations officer must have a broad understanding of the Windows command
line interfaces. They must understand the configuration and installation of Windows
services, schedule tasks, and drivers.
3.7 (U) Security Provisions
(S) The ELSA tool can be renamed, signed, and packed without losing its functionality.
The ELSA dll contains no strings that would give away its true purpose. The dll and
driver do not hide their processes or files. The dll can be injected inside an existing
process which reduces its visibility. The ELSA data file back dates its timestamp to its
original creation date each time the file is updated.