Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
(S) PRO TIP: If the drive is NTFS, you can prepend ':' to each of the names to force
them to be written to the ADS (and therefore completely HIDDEN from disk). For
example, ":BKCore.exe", ":DeployConf.dat", etc.
6.2.2 (U) Deploy Condensed On Disk
(S) How it works: This option condenses everything into one crypto blob. You *MUST*
specify an execution vector other than NONE for this to work since the main BK
executable will require more than a double-click to retrieve. Additionally, the BK exe
will need to be dropped to disk on target to execute, therefore, you will need to select a
path and name for it. (It securely deletes itself on termination).
(S) BKCore File Name: The name of the BKCore file, which contains EVERYTHING.
(S) Local Path to Drop: The OPTIONAL local path to drop the core executable to disk.
You can directly specify with a drive letter such as "C:\Temp\BKCore.exe", without a
drive letter in which case it will be relative to the main drive "Temp\BKCore.exe", and/or
you can use environment variables "%temp%\BKCore.exe. Additionally, you do NOT
need to specify a name. In this case, it will create a temp filename. After the main
program executes, this file is securely self-deleted.
(S) Blacklist: Process blacklist. IF any of these processes are detected, then bail.
(S) PRO TIP: If the drive is NTFS, you can prepend ':' to BKCore to force it to be
written to the ADS (and therefore completely HIDDEN from disk). For example,
":BKCore.exe"... Also suggested to just leave "Local Path to Drop" empty.
6.3 (U) Payload Configuration
(S) Data Collection Method: The Data Collection module specifies how/where data
from payloads are stored.
Min % Free Space: Minimum free space required for the drive.. If this threshold is
reached, no more data will be collected.
Max Collect Size: Maximum collection size.. If this threshold is reached, no more
data will be collected.
(S) Payload Type: Specifies a BK payload module or custom exe/dll for BK to execute.
All modules have the following options:
Max Runs: Number of times to execute this specific module when BK executes
Internet Drop: Specifies whether to module will only run if internet is detected, if
internet is not detected, or regardless
Bitness Drop: Specifies whether the module will only run on x86, x64, or both
Blacklist: semicolon-separated list of processes that if detected on target, will
prevent this payload from launching
6.3.1 (U) Alternate Data Stream
(S) REQUIRES NTFS. Utilizes NTFS' Alternate Data Streams to store files hidden in the
root partition that cannot be viewed in windows natively without a third-party
application.
SECRET//NOFORN
18