Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Shadow v1.0 User Guide SECRET
3.2 (U) Creating Tasking Packets: odds and ends
• Whenever creating tasking packets, the most important step is ensuring the Recipient ID
is properly configured. You can select a server or client ID to send the packets to, or you
can select two specialized IDs: ANY_SERVER and ALL_SHADOW
o Client: A Shadow instance installed with "Shadow.exe -i", and does not have any
outside access. It is entirely contained within a closed network. It is differentiated
by having the highest-order bit set to 0.
o Server: A Shadow instance installed with "Shadow.exe -iS", and DOES have
outside access. This machine can access the internet, and we can send collected
data back to postprocess. Its highest-order bit is set to 1.
o ANY_SERVER: Specifies the recipient can by any Shadow server. Should be
used sparingly, as the exact machine or number of machines sent these packets is
undefined.
o ALL_SHADOW: Specified all Shadow instances should execute this packet.
Should be used sparingly-- Only sent to all Shadow instances that are known by
the first machine to receive this packet.
o *Clipboard Paste*: Pastes from the clipboard the recipient ID copied from either
text or a filename. This is the preferred option, since you only need to copy the
ID.
• Generally speaking, you should always specify which packets to send by either using the
"Clipboard Paste" option or manually typing the ID. If unsure if ID is client or server, the
program will inform you when you attempt to build the dat file. The IDs are all contained
in postprocessed data, and since all Shadow instances do surveys and directory lists, and
send them back to a server-- you should always know which Shadow IDs are on your
network. You simply need to copy the folder from this postprocessed data (IE.
Server_C0829FCD-534F-D141-878C-CDC548A63947), or the text itself. You can either
copy the name including the "Server_" / "Client_" prepended, or just the ID itself
( "Server_C0829FCD-534F-D141-878C-CDC548A63947" or "C0829FCD-534F-D141-
878C-CDC548A63947" or "C0829FCD534FD141878CCDC548A63947" is acceptable).
• "Configure Copy Option": This is an option for the "Copy File" and "Execute Payload"
packets. You can specify to copy the chosen input file to the default directory, a specified
directory, or a special CSIDL directory.
o Default Directory: The default Inbox Directory, as identified in the Shadow
configuration process in section 2.0
o Specified Directory: You can actually specify a directory such as "C:\blah\..."
o Special CSIDL directory: This is the recommended choice. You can select from a
list of provided CSIDLs (constant special item ID list) that is supported by the
Windows Operating System itself. See the CSIDL appendix for all these paths.
• "Update Program" task: "Remove Shadow": This task of removing Shadow will only
effect the first machine that receives this packet if created with an ALL_SHADOW
recipient. Be careful when generating this packet, and ensure you directly send to the
desired recipient.
SECRET
3