Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
6.1.2.3 (U) Lachesis Link File Config
(S) Link File Name: The name of the link file that will be created. The link file will be
written to the directory specified by "Link Files Directory" in the Lachesis Execution
Vector Config option.
(S) Link Target Head: The head of the link target (could be a drive letter or hard disk
partition number or even UNC path). You can specify potential drive letters, such as
"E:\", "F:\", "G:\" OR you can specify potential physical devices such as
"\\PhyiscalDrive1", "\\PhysicalDrive2", "\\PhysicalDrive3", etc.
6.1.3 (U) RiverJack LinkFiles (Okabi Links)
(S) Target OS: Windows 7, Windows 8, Windows 8.1
(S) Additional requirements: Okabi LinkFiles cannot link directly to the specific drive,
so you will need to provide educated guesses as to which drive letter that the thumbdrive
will be mounted on. Theoretically, you could create linkfiles for every drive letter to
guarantee execution. However, realistically, you can immediately eliminate drive letters
such as "A:\", "B:\"... And assuming the OS is installed on C:\, then ideally you may just
want to create link files for D:\, E:\ F:\, and MAYBE G:\. PhysicalDriveXX do not work
with RiverJack like Lachesis does.
(S) TLDR: Can't directly link to a thumbdrive, must use drive letters; Must provide
educated guesses as to how the drive will show up in the target system; Shouldn’t be too
much of an issue since the links are all hidden
(S) How it works: LinkFiles exploit utilizes the library-ms functionality to gain
execution. Through RiverJack, you configure the name and path of the library-ms
junction, which subsequently points to the link files, which point to the target DLLs.
Therefore, the link files themselves do NOT need to be viewed in explorer and can be
made hidden/system in whatever directory structure desired. However, the library
junction MUST be viewable. Execution will not occur until this directory is viewed in
explorer.
6.1.3.1 (U) RiverJack Execution Vector Config
(S) Link Files Directory: Relative path from the root of the thumbdrive of where the
link files are to be written
(S) Pro Tip: Specify a hidden directory such as "System Volume Information" or another
directory where the user doesn't have access or won’t likely navigate to prevent
discovery.
6.1.3.2 (U) RiverJack Target DLL Config
(S) Architecture: Specify the DLL architecture (x86 / x64). Multiple link files can point
to the same DLL, so at most you will need one x64 DLL and one x86 DLL.
(S) DLL Path: The relative path and file name for the execution DLL. This DLL can be
hidden/system, and buried down in the folder structure (executed by linkfile).
SECRET//NOFORN
16