Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
7 (U) Target Handling
(S) This section describes the details of Target handling, which includes the fundamental
CB functions of Target detection, alerting, monitoring, and exploitation through Target
Actions. As this is a fundamental and somewhat complex CB capability, an entire section
is devoted to it.
7.1 (U) Primitive and Derived Targets
(S) Targets can be classified into two major categories: Primitive and Derived. Primitive
Targets are Targets that have been entered into the system by a CB operator (see 9.11.1).
These include (primitive) MAC addresses, email addresses, chat usernames, and VoIP
numbers. Derived Targets are MAC addresses that are “derived” from a Target
computer/device that generates an email, chat, or VoIP Target detection. Derived MAC
Targets are automatically inserted into the system as the result of a Target email, chat, or
VoIP detection. On CherryWeb, Derived MAC Targets will typically display as a MAC
address with “(derived)” printed next to it.
7.2 (U) Target Decks
(S) A Target Deck is simply a grouping of Targets. Target Decks are created using
CherryWeb. Target Decks are then added to Missions. A Target Deck can also be edited
after creation, and when this happens, Missions containing the edited Target Deck
automatically update to a new revision. This new Mission revision is then automatically
assigned to each Flytrap executing this Mission. The previous Mission version is
automatically archived. See 9.11.2 and 9.17 for detailed information on creating and
editing Target Decks.
7.3 (U) Target Detection
(S) The first step in Target handling is Target detection. Upon receipt of a Mission, the
Flytrap begins filtering network traffic for Target email addresses, chat users, VoIP
numbers, and (primitive) MAC addresses (see 7.1). The Mission can specify to search
traffic on all ports, or only port 80 (HTTP) and common chat ports. The Mission can
specify search traffic on all protocols, or only TCP.
(S) Because Targets are hashed in the Mission, the Flytrap implant must parse likely
email addresses/chat users/VoIP numbers out of network traffic, and then compare the
hashes of these emails/chat users/VoIP numbers to the hashed emails/chat users/VoIP
numbers in the Mission’s Target list. Similarly, MAC addresses are also hashed in the
Mission, so the Flytrap implant must grab client MAC addresses from the link layer
headers of the network traffic packets, compute hashes, and compares those to hashed
MAC addresses in the Mission’s Target list.
(S) The entire search process for email, chat users, and VoIP numbers is discussed in
more detail in Section 15.4.
32
SECRET//20350112