Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
13
SECRET//NOFORN
4.2.17 (U) CONFIG option WifiRssiThreshold
(S) The ITHRESHOLD parameter is used during the decision to record a new data point.
If the wifi observations BSSIDs and MAC address are the same then this parameter
determines, if the new observation will be recorded. For a matching access point sets the
algoritm identifies at the largest magnitude difference between the signal strengths, if it is
greater than ITHRESHOLD the record is saved.
4.2.18 (U) CONFIG option WifiSaveAllSurveys
(S) This option controls the wifi observation storage behavior. The default operation of
Elsa is to delete wifi observations when a geolocation coordinate is obtained by the
location provider. This is a space saving measure. Setting this option to true will result in
Elsa saving all wifi observations until the DataFileMaximumSizeKB limit is reached.
4.2.19 (U) CONFIG option GeoProvider
(S) This option specifies the 3
rd
party database to use when resolving wifi observations.
The valid settings are as follows:
Setting Description
none This disables the geolocation query in the tool. This can be useful if the
tool must be installed on a machine with an aggressive AV or aggressive
network defense team. The collection file would only contain the wifi
observations and the operator uses the PROCESSOR to query the 3
rd
party
geolocation database.
google This settings configures the tool to query google location services for
geolocation coordinates.
microsoft This setting configures the tool to query microsoft location services for
geolocation coordinates.
Figure 11 - (S) Elsa location provider settings
4.2.20 (U) CONFIG option ClientID
(S) The CLIENTID parameter should be a four-digit unsigned hexadecimal number that
will serve as the unique, operationally assigned ID number for the client. The default
value is 5555 and is required.