Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Elsa User Manual.doc
8
SECRET//NOFORN
Figure 5 - (S) Example wizard.config file settings.
4.1.4 (U) PATCHER option Wizard
(S) Specifying the -W flag will run the PATCHER in wizard mode, interactively
prompting the user to specify ELSA settings. Upon completion PATCHER will generate
a basic ELSA config file named ‘wizard.config’ that contains the settings specified by the
operator.
(S) The ‘wizard.config’ file can be modified for more advanced configuration scenarios.
The config file format supports UTF-8 allowing for foreign language characters in the
service description fields and file paths. The wizard prompts do not support foreign
language input thus the file must be edited manually to do this.
> cd unclassified\server\windows
>
patcher.exe -p x64 -o testx64g.dll -W
Enter mode [default is RunDll32]:
Enter target process filename [default is rundll32.exe]:
Enter data file name [default is %SystemRoot%\TEMP\elsa.data]:
%SystemRoot%\TEMP\elsag.data
Enter data file max kb [default is 200]: 202
Enter data file archive seconds [default is 60]: 62
Enter data encryption key file [default is key.bin]:
Create a new application guid [default is no]:
Enter application guid [default is {59553112-3228-49ce-8044-4AB3C63BD46C}]:
Enter seconds between wifi surveys [default is 30]: 32
Enter the seconds to delay the wifi survey after install [default is 30]: 32
Enter the seconds to delay the wifi survey after startup [default is 30]: 32
Enter backoff factor to use when wifi survey are unsuccessful [default is 10]: 13
Enter the wifi rssi threshold [default is 100]: 202
Save all wifi surveys [default is no]:
Enter geolocation provider [default is google]:
Enter the Client Id [default is 5555]: 2234
Figure 6 - (S) Example command line usage of the PATCHER wizard
4.2 (U) Elsa CONFIG Option Details
(S) Elsa's behavior is defined by the configuration options provided to the patcher, so it is
important to understand these options and carefully consider the desired behavior prior to
deployment. A few significant options to consider are:
1) Do you want Elsa to try to resolve geolocations from the target, or would you
prefer to resolve them later using the processor tool? (See GeoProvider option)
Resolving from the target creates additional network traffic, although this
traffic is designed to look like legitimate browser traffic
Resolving later could produce different results if the provider's wifi
database changes, although this is probably not likely

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh