Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
5. (U) Known PSP issues
(S) Symantec Endpoint
o LACHESIS Execution Vector Only: On autorun, generates popup stating
the autorun functionality has been blocked when configured to disable
autorun from removable media
Avira Internet Security
o LACHESIS Execution Vector Only: On autorun, generates popup stating
the autorun functionality has been blocked when configured to disable
autorun from removable media
BitDefender Total Security
o ALL Execution Vectors: Generates popup stating a malicious application
has been blocked and quarantined or blocked and deleted
Rising Antivirus
o Prevents Launch EXE from Disk payload deployment: Generates popup
blocking the execution of an executable from disk
6. (U) Drifting Deadline Configurator Help
6.1 (U) Execution Vector Configuration
(S) The execution vector module controls how the tool is executed. Each execution vector
may have its own configuration. For instance, the EZCheese LinkFile execution vector
gains execution through Giraffe Links (simply viewing the .lnk files in windows explorer
will launch the tool), and thus, requires the user to input information about these linkfiles
and the corresponding DLLs that the linkfiles launch.
(S) Currently BK supports 4 execution vectors: EZC, LACH, RVRJ, and none. EZC and
LACH both rely on linkfiles to gain execution:
(S) The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-
executed without any further input. "None" simply means the executable must be double-
clicked by the end-user for the tool to launch.
6.1.1 (U) EZCheese LinkFiles (Giraffe Links)
(S) Target OS: (Currently Patched as of 3/2015) Windows XP SP3, Windows Vista,
Windows 7, Windows 8
(S) Additional requirements: Drive MUST be Removable.
(S) How it works: The EZCheese LinkFile exploit causes execution as soon as the link
file is viewed in Explorer (LinkFiles can NOT be hidden). This linkfile vulnerability has
been patched, however, so it's recommended to use another execution vector unless your
target is unpatched.
6.1.1.1 (U) EZCheese Target DLL Config
(S) Architecture: Specify the DLL architecture (x86 / x64). Multiple link files can point
to the same DLL, so at most you will need one x64 DLL and one x86 DLL.
SECRET//NOFORN
14

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh