Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Elsa User Manual.doc
6
SECRET//NOFORN
4. (U) Preparation
(S) Prior to deciding to use ELSA it is worth making an assessment of how likely the
target machine is to (1) have wifi turned on, (2) be near wifi access points and (3) be in a
region where Google or Microsoft have high quality wifi databases. All three elements
are required for Elsa to succeed. See the above 'Background on Wifi-based Geolocation'
for suggestions on evaluating the third item.
(S) Operation of ELSA involves using the PATCHER wizard to create an ELSA implant.
Once ELSA is deployed and running the data file can be collected. The PROCESSOR is
then used to decrypt the data file. The PROCESSOR can then be used to resolve any
unresolved access point lists contained in the decrypted data file.
(S) The ELSA software system is delivered in two sets of zip files with embedded hash
files containing the project name, version, and algorithm used to calculate the hash:
elsa-v1.0.0-docs.zip
o sha1-windows.txt
elsa-v1.0.0-windows.zip
o sha1-windows-images.txt
(S) After extracting the files from the zipped archives the file hashes should be verified
against the hashes in the distribution to verify that the media has not been corrupted. The
project version printed in the hash file should also be checked to validate that distribution
is the current version approved for operational use. Note that the hashes in these text files
should be used in favor of the hashes in this manual, which may be out of date.
file: sha1-windows-images.txt
project: elsa
version: 1.0.0
date: 2012-06-14 13:41:04
description: elsa hashes calculated using the SHA1 algorithm.
patcher.exe: 9b416af5178830a79f07f68b10f6ea7b8c18a7c0
tool-x64.dll: 250e9e11a5416f1fa477c2736e54bcf3c3b8b202
tool-x86.dll: 2914b324b926b1f9fdf854749a7d6df169773d4b
processor.exe: 313babc073b6d7981649f985f54d6ea7a7a11c6e
addtask.vbs: c1af8b9f6191236c8bc69f04e01dfc7d84b4fa5e
Figure 3 - (S) SHA1 Hash File Format
(S) At this point the user is ready to configure Elsa for deployment using the PATCHER
tool. The user will need to be prepared to specify:
1) The target machine's architecture (x86 vs. x64)
2) The desired mode (dllhost, svchost, rundll32 or appinit – See Deployment below)
3) The desired geo provider (microsoft / google)

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh