Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
4
SECRET//NOFORN
3. (U) System Description
(S) As described above, Elsa is a software system designed to provide COG pattern of
life geolocation information. The major component is the Windows DLL (tool), which is
used in the target environment. The minor components are the configuration tool
(patcher) and the post processor (processor), which are used in deployment,
configuration, and operation.
(S) The following steps describe the typical usage of Elsa.
1. Assess the target for the desired frequency of geolocation data points based on the
likely operational access opportunities.
2. Use the patcher to set the geolocation interval and data store file size.
3. Deploy the tool.
4. Recontact the target and download the collection log.
5. Run the post processor to decrypt the log for analysis.
3.1 Technical References
Directory Filename Note(s)
server/windows patcher.exe Windows Config Tool
server/windows processor.exe Windows Decryption Tool
server/windows tool-x64.dll Windows x64 implant
server/windows tool-x86.dll Windows x86 implant
server/windows installDllMain.vbs VBScript file illustrating optional placement
of the Elsa task in the Task Scheduler
server/windows uninstallDllMain.vbs VBScript file illustrating optional removal
of the Elsa task from the Task Scheduler
server/windows sha1-windows-images.txt Sha1 hashes of files in the distribution
server/windows classifications-windows.txt Classifications of files in the distribution
docs Elsa User Manual.pdf This manual
Figure 2 - (S) Listing of files included with the Elsa distribution
3.2 (U) System Concepts and Capabilities
(S) An operations officer must have a broad understanding of the Windows command
line interfaces, wired and wireless computer networking, and Windows system
administration. The officer must be familiar with Asset, Supply Chain, or Remote
Operations tools and procedures.
3.3 (S) DLL Injection
(S) The Elsa client is designed to be injected into an existing process on the system. It is
delivered in the form of a DLL. As such it is important that the 32 bit and 64 bit versions
of the DLL be run on the matching 32 bit and 64 bit version of Windows.
(S) Some Anti-Virus (AV) suites protect critical system processes such as
SERVICES.EXE and WINLOGON.EXE from the dll injection technique used in ELSA