Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
33
SECRET//NOFORN
present in these results. Hence it appears to
indicate that Microsoft's database does not
contain the provided wifi data.
11 'TFRTIgp9Cg==' in
google location results
� This decodes to 'LTS"\n}\n', which is the end of
google's 'NO RESULTS' message. This occurs
when google has no results in its database. Future
versions of Elsa will communicate this more
clearly in the results
12 Valid lat/lons
accompanied by high
(poor) accuracy values
� Check to see
i
f the latitude and lon
g
itude fields
contain valid results. If not, see 'Alphanumeric
(base64 encoded) values in geolocation results
� If a lat/lon is present then Elsa successfully
queried the provider and this indicates that their
database does not contain an accurate geo for
the given AP lists. Sometimes Microsoft will fall
back to basic (inaccurate), ip-based geolocation
in these cases.
13 Log file keeps appearing
after uninstall
� Check to see
w
hich
p
rocess is loadin
g
the dll
using tasklist /m <elsa dll name>.
Use the uninstall procedures above to prevent that
process from loading the dll again, then restart
that process.
14 net start or sc start
commands fail with
error 1060
� Check to see that the
p
latform architecture
matches the patcher –p option using: wmic
cpu get description
� Check that the platform architecture of the host
process matches the target computer e.g. 32 bit
Taper on x64 Windows. If this is the case then
install using:
%windir%\sysnative\regsvr32.exe
/s %windir%\elsax64.dll
� Move the dll to a directory other than
C:\Windows\system32
15 wlansvc or eaphost
services not running
� Configure the services as follows:
sc config eaphost start= demand
sc config wlansvc start= demand
12.3 (U) Interpreting Errors in ELSA xml files
(S) If Elsa is able to transmit a wifi geolocation query, it will attempt to parse whatever
response it receives into a geolocation. If it is unable to find a geolocation in the response
it will base 64 encode the region of the file where the geolocation usually turns up and
place that in the geolocation field for offline analysis. You can use python's b64decode
functionality to inspect the contents of these fields.