Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Cherry Bomb Program Cherry Blossom Internal Test Procedures
ping an internet address (e.g., ping Google.com) indefinitely, and surf the internet
for at least 5 minutes. From the Second Client Computer, ping a different internet
address indefinitely.
Pass/Fail: the test passes if the Client Computer’s network traffic (and not the
Second Client Computer’s network traffic) is copied for the 5 minute period
following the Yahoo webmail login (using CherryWeb, click the “download” link in
the Copy Data column of the View->Alerts page for the appropriate for
smith_test1@yahoo.com Alert, then click on the appropriate pcap file on the
Copy Data page, and then verify time and content of capture. A decent way to
verify content is, in Wireshark, to sort the packets by type, and look at the DNS
packets – they should match the surf history. To verify timeout, in Wireshark,
scroll to the last packet and check the time it should be 5 minutes +/- 10 seconds
(due to caching and periodic bursting of copy data from ulogd)).
4.2.9 Derived MAC Detection/Alerting Test
Description: Tests the Derived MAC feature of the Flytrap.
Setup: plan/assign a Mission to a Flytrap with abc@def.com as a Target and
Session Timeout = 5 minutes. Set other parameters as in 4.2.1.
Run: from the Client Computer, generate an Alert for abc@def.com (perform a
Google search for abc@def.com). Then, unplug/disconnect the Client Computer
from the Flytrap for at least 5 minutes. Then, replug/connect the Client Computer
to the Flytrap and generate a little network traffic.
Pass/Fail: the test passes if a Derived MAC Alert occurs for the Client
Computer’s MAC address shortly after (~10 seconds) it is reconnected to the
Flytrap.
4.2.10 Email/Chat Target Action Inheritance Test
Description: Tests the Action Inheritance logic of the Flytrap. See the Cherry
Blossom User’s Manual for a detailed discussion of Action Inheritance.
Setup: plan/assign a Mission to a Flytrap with abc@def.com as a Target with a
Redirect Action, smith_test2@hotmail.com with a Copy Action with a 1 minute
timeout, and smith_test4@gawab.com with a Copy Action with a 1 minute
timeout. Set other parameters as in 4.2.1.
Run: from the Client Computer, generate an Alert for abc@def.com (perform a
Google search for abc@def.com). Then go to a root web page (e.g., asdf.com).
Client Computer’s browser should be redirected to slashdot.org. Then, from the
Client Computer, generate an Alert for smith_test2@hotmail.com. Then surf the
internet for at least 1 minute. Then, from the Client Computer, generate an Alert
for smith_test4@gawab.com. Then surf the internet for at least 1 minute.
UNCLASSIFIED
28

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh