Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Elsa User Manual.doc
19
SECRET//NOFORN
(S) The ELSA dll can be renamed without losing its functionality, although certain install
methods such as DllHost may require the operator to also rename install scripts to match
the ELSA dll. The dll name can also be specified through the PATCHER tool as
described above. The dll has no strings in it that would give away its true purpose. The
process of patching changes hard-coded bytes in the binary which causes the SHA1 hash
to vary slightly. Operator should track file hashes for deployed tools.
(S) The ELSA does not hide it's host process or file. A user watching the process list can
see the host process running. This can be mitigated by renaming the dll with an
inconspicuous name. Using SvcHost, DllHost, or AppInit installation can reduce the
visibility of the program in the process list.
(S) The Elsa dll image and log file reside on disk and hence persist across reboots.
However, whether not the Elsa dll runs persistently depends upon how it installed. The
SvcHost, DllHost and AppInit installation modes will cause Elsa to run across reboots.
The Rundll32 mode will not.
7. (S) Exfiltration
(S) Elsa currently makes no provisions for automatically beaconing or exfiltrating
collected data off of the target machine. Therefore the operator must extract the Elsa log
file from the target machine through other means.
(S) It is safe (and generally preferable for space savings) to completely remove the Elsa
log file; Elsa will detect its absence and create a new one in its place. It is best practice to
stop Elsa prior to removing the file, especially if file removal process will be slow.
However, simply copying and deleting the file while Elsa runs has not caused problems
during testing.
(S) In installations where log files rapidly reach their configured size limit it may be
necessary to remove the Elsa file quite regularly to avoid data loss.
8. (U) Processing
(S) Exfiltrated data is symmetrically encrypted and must be processed using the processor
tool. This tool has two main functions:
1) Decrypting raw log files generated by Elsa into XML files
2) Resolving lists of wifi access point metadata into geolocations, using the -l
<provider> flag
(S) The second step of resolving wifi data into geolocations may have already been
performed by Elsa on the target machine if Elsa was configured that way and had access
to the Internet. Even in that case the operator can re-geolocate saved wifi data from the
processor tool, for example to cross reference geolocation information returned from

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh