Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
4.4 (U) Execution Methods
(S) This section covers the options in “Local Binary Payload Config”, and specifies what
can and cannot be executed by DriftingDeadline. Not all options are required.
Local Path: The local path to the payload on the configurator’s box. The
name/location of this binary are NOT recorded into the BK payloads, but is saved
in the config file for your convenience.
Drop Name: If applicable, where to drop the payload on target and what to name
it. This field can take environment variables.
Command Line Args: If applicable, arguments to pass to your payload.
Max Runs: The maximum number of times you want your payload to be
executed, or unlimited.
Needs Admin?: Whether the application can only be dropped if Admin.
Currently, this field is not really used since DriftingDeadline contains no privilege
escalation.
Internet Drop: Only proceed in executing the payload if internet is connected
Bitness Drop: Only proceed in executing the payload if the machine is a
particular bitness.
4.4.1 (U) RunDLL32 (32-bit and 64-bit DLLs)
(S) Payload is dropped to disk with the given name, and executed with RunDLL32 as the
“Drop Name” with the “Command Line Args” supplied. The process is executed under
Rundll32, and is NOT waited for. Must handle deletion on its own.
(S) Note that “arguments” must start with the ordinal to execute. Some example args:
“#1”
“#2”
“#1 these are the args to my DLL”
….
(S) If no arguments are supplied, then it assumes ordinal 1-- “#1”
4.4.2 (U) Load Library from Disk (32-bit DLLs)
(S) Payload is loaded directly from memory into the DriftingDeadline process and never
touches disk. DLLMain is executed, and waited on until completion.
SECRET//NOFORN
12