Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
25
SECRET//NOFORN
10. (U) End-to-end Elsa Walk-through
(S) This walk-through describes the configuration, deployment, collection and processing
of the ELSA software system and the data it produces. The example is introductory and
additional details should be found the prior sections that cover each tool in detail. This
section assumes the operator has already stood up all the equipment described in the
Prerequisites.
(S) In this example, the operator should setup a Windows machine to serve as the
Operator Terminal. The PROCESSOR tool requires Windows so the setup and post
processing tools are compatible with Windows 7. In this scenario the operator has
extracted the media zip file to a folder ‘unclassified\server\windows’ on the Operator
Terminal as shown below.
Directory of C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
06/13/2012 10:33 AM <DIR> .
06/13/2012 10:33 AM <DIR> ..
06/13/2012 09:09 AM 2,717 addtask.vbs
06/13/2012 09:09 AM 116,224 patcher.exe
06/13/2012 09:09 AM 270,336 processor.exe
06/13/2012 09:09 AM 453 sha1-windows-images.txt
06/13/2012 09:09 AM 109,568 tool-x64.dll
06/13/2012 09:09 AM 86,016 tool-x86.dll
6 File(s) 695,526 bytes
2 Dir(s) 196,852,690,944 bytes free
Figure 22 - (S) Example directory listing of the distribution media
(S) In this example the operator would like to monitor the pattern of life for a target
laptop. The operator assigns this collection the operational identifier of 2234, chooses
google as the location provider, and will run use rundll32 to host the tool.
C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
> patcher.exe -p x64 -o testx64g.dll -W
Enter mode [default is RunDll32]:
Enter target process filename [default is rundll32.exe]:
Enter data file name [default is %SystemRoot%\TEMP\elsa.data]:
%SystemRoot%\TEMP\elsag.data
Enter data file max kb [default is 200]: 202
Enter data file archive seconds [default is 60]: 62
Enter data encryption key file [default is key.bin]:
Create a new application guid [default is no]:
Enter application guid [default is {59553112-3228-49ce-8044-4AB3C63BD46C}]:
Enter seconds between wifi surveys [default is 30]: 32
Enter the seconds to delay the wifi survey after install [default is 30]: 32
Enter the seconds to delay the wifi survey after startup [default is 30]: 32
Enter backoff factor to use when wifi survey are unsuccessful [default is 10]: 13
Enter the wifi rssi threshold [default is 100]: 202
Save all wifi surveys [default is no]:
Enter geolocation provider [default is google]:
Enter the Client Id [default is 5555]: 2234
C:\Users\user\elsa-v1.0.0-windows\unclassified\server\windows
> dir