Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
11.2 (S) Known Target with Personal Computer/PDA/802.11 Device
(S) This is the use case for which the system was originally devised. A Target has a
known email/chat/MAC address, and is suspected to gain wireless internet access in an
area where Flytraps have been deployed. It is desired to know when that Target has
connected to a Flytrap, if they are still actively using the network, and potentially direct
exploits at the Target’s Computer/PDA/802.11 device.
(S) Here we assume that any of the features/Actions can be assigned to a Flytrap (i.e., the
“comfort level” of 11.1 has been achieved). If the primary goal is to know the
approximate whereabouts of the Target in realtime, then a (small) “Target Monitor
Interval” should be configured. The “Session Timeout” parameter should be set to a value
that is around what is thought to be the Target’s approximate time of use of the Flytrap.
Note that if a Target generates an email/chat Alert, and then the Target generates no
traffic for “Session Timeout”, and then generates more traffic, a Derived MAC Alert will
be sent and Target Monitoring will occur. This is probably desirable behavior in this use
case, so long as Derived MAC Alerts are not sent too frequently.
(S) If the Target is known to roam the area, and there are multiple Flytraps in the area,
and the Target has already generated an email/chat Alert, then it may be a good idea to
make the “derived” MAC address associated with the Alert into a “primitive” MAC
address (i.e., define a new “primitive” MAC Target from the “derived” MAC address as
in 7.1). Then, create a new Mission (from the previous Mission that generated the
email/chat Alert), and add this primitive MAC Target, assigning any Target Actions as
appropriate. Then assign this new Mission to all Flytraps in the area.
(S) If another goal is to gather Target network traffic for further analysis, then a Copy
action should be assigned – a Copy timeout should be assigned relative to the “comfort
level”. Note that once a Copy has timed out for a particular Target, data from that
Target’s client MAC address will not be copied from that Flytrap until a new Mission is
assigned and retrieved by the Flytrap (see 7.7).
(S) If another goal is to direct browser exploits at the Target’s device, then a Windex
exploit (see 9.11.2) should be configured.
11.3 (S) Multi-user Terminal/Computer with Target and Non-Target
Users
(S) This use case is different than that of 11.2 in one major respect – the “client MAC”
address can now no longer be used as a way to detect/identify a Target. There may be
times when the Target is actually using the MAC address, and other times when a non-
Target will be using this same MAC address.
(S) Target Monitoring probably doesn’t make sense in this case (i.e., set “Target Monitor
Interval” to 0) – there is no real way to detect whether the “Session Active” is actually
related to the Target or to a non-Target. One could check the age of the original Target
Alert, and judge the likelihood that the Target would still be using the terminal. The
“Session Timeout” parameter should be set to a value that is around what is thought to be
118
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh