Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
(S) If this same MAC address then generates a Target detection for a different
email/chat/VoIP Target, the Derived MAC will inherit the Actions of this new Target as
follows:
• Browser Redirect (Windex) - a Browser Redirect (Windex) Action will be
inherited only if the Derived MAC has not yet been redirected (i.e., the Derived
MAC will be directed only once regardless of how many different
email/chat/VoIP Targets are detected for that MAC).
• Copy - if the previous Target did not have a Copy Action, and the new Target
does have a Copy Action, the Derived MAC will inherit the Copy Action of the
new Target. If the previous Target did have a Copy Action, and the new Target
does not have a Copy Action, the Derived MAC will retain the Copy Action of
the previous Target.
• VPN Link - if the previous Target did not have a VPN Link Action, and the new
Target does have a VPN Link Action, the Derived MAC will inherit the VPN
Link Action of the new Target. If the previous Target did have a VPN Link
Action with a timeout, and the new Target has a VPN Link Action with no
timeout, then the Derived MAC will inherit the no-timeout VPN Link Action.
• VPN Proxy - if the previous Target did not have a VPN Proxy Action, and the
new Target does have a VPN Proxy Action, the Derived MAC will inherit the
VPN Proxy Action of the new Target. If the previous Target did have a VPN
Proxy Action with a timeout, and the new Target has a VPN Proxy Action with
no timeout, then the Derived MAC will inherit the no-timeout VPN Proxy
Action. Note that a VPN Proxy Action implies a VPN Link Action (i.e., a VPN
Link is established to support the VPN Proxy Action).
(S) Here is an example. Say the following email Targets exist in a Mission with the
following Actions:
• a@a.com – VPN Proxy with 30 minute timeout, no Browser Redirect (Windex)
Action
• b@b.com – Direct the Target to the Windex site www.redirect.com, no Copy
Action, no VPN Proxy Action
• c@c.com - Copy with 10 minute timeout, Browser Redirect (Windex) to
www.redirect2.com, no VPN Proxy Action
• d@d.com – a no-timeout VPN Proxy Action
Suppose that a@a.com is detected on a client with a particular MAC address. At this
point the Flytrap will send an email Alert for a@a.com, and the VPN Proxy Action will
begin immediately. Say 1 hour later, b@b.com is detected in the network stream of this
same client MAC address. Because b@b.com has a Windex Action, and a@a.com does
not, the client will be directed to www.redirect.com at the next root HTTP GET request.
Say 1 hour later, c@c.com is detected in the network stream of this same client MAC
address. Because a Copy Action has not yet been performed on this MAC address,
c@c.com’s network traffic will be copied for 10 minutes. Since this MAC address has
already had a Browser Redirect (Windex) Action, the client will not be directed to
www.redirect2.com. Say 1 hour later, d@d.com is detected in the network stream of this
same client MAC address. Since this Target has a no-timeout VPN Proxy Action, a no-
36
SECRET//20350112