Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
(S) DLL Path: The relative path and file name for the execution DLL. This DLL can be
hidden/system, and buried down in the folder structure (executed by linkfile).
6.1.1.2 (U) EZCheese Link File Config
(S) Operating System: The link files are dependent upon the Operating system. IF you
know the specific OS you are targeting, then you should select only that OS. If you are
unsure, you may want to select all OSs that may apply. NOTE: You will need a different
link file for each OS-architecture combination, but you only need one associated DLL per
architecture.
(S) Link File Name: The name of the link file that will be created.
6.1.2 (U) Lachesis LinkFiles (Okabi Links)
(S) Target OS: Windows 7
(S) Additional requirements: Okabi LinkFiles cannot link directly to the specific drive,
so you will need to provide educated guesses as to which drive letter or which Physical
Drive number that the thumbdrive will be mounted on. Theoretically, you could create
linkfiles for every drive letter to guarantee execution. However, realistically, you can
immediately eliminate drive letters such as "A:\", "B:\"... And assuming the OS is
installed on C:\, then ideally you may just want to create link files for D:\, E:\ F:\, and
MAYBE G:\. Additionally, you can use PhysicalDriveXX... which may actually be better
since its number is dependent upon the number of physical drives actually plugged into
the system instead of the total number of partitions on the system. So, you could specify
linkfiles for "PhysicalDrive1", "PhysicalDrive2", and MAYBE "PhysicalDrive3". This
optimizes you down to 2-3 links instead of 3-4.
(S) TLDR: Can't directly link to a thumbdrive, must use drive letters or physical drive
numbers to link to the target drive; Must provide educated guesses as to how the drive
will show up in the target system; Shouldn’t be too much of an issue since the links are
all hidden
(S) How it works: LinkFiles exploit utilizes the autorun.inf to gain execution as soon as
the drive is plugged in. Therefore, the link files themselves do NOT need to be viewed in
explorer and can be made hidden/system in whatever directory structure desired.
6.1.2.1 (U) Lachesis Execution Vector Config
(S) Link Files Directory: Relative path from the root of the thumbdrive of where the
link files are to be written
(S) Pro Tip: Specify a hidden directory such as "System Volume Information" or another
directory where the user doesn't have access or won’t likely navigate to prevent
discovery.
6.1.2.2 (U) Lachesis Target DLL Config
(S) Architecture: Specify the DLL architecture (x86 / x64). Multiple link files can point
to the same DLL, so at most you will need one x64 DLL and one x86 DLL.
(S) DLL Path: The relative path and file name for the execution DLL. This DLL can be
hidden/system, and buried down in the folder structure (executed by linkfile).
SECRET//NOFORN
15

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh