Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350629
values will be loaded into the fields on the top half of the screen. Modifications will be
automatically updated in the table.
(S) To select a payload click on the Find Payload button. A folder dialog will appear.
Simply browse to the location of the payload file on the configuration machine, and then
click Open. The path to the payload may also be manually entered in the text box located
to the right of the Find Payload button. To use a file already located on the target
system, leave the Payload field blank.
(S) Any arguments used when launching the payload should be entered in the Payload
Arguments text field. For example, if ipconfig is used as a payload it takes command
line arguments such as /all. So at the command line a user would type:
ipconfig /all
(S) To include command line arguments using the EZSurvey v6.3 GUI, only the
arguments are needed, so the user would enter only /all in the Payload Arguments text
field. Arguments now support using command line variables and the built in EZCheese
variables that can be found in the appendix.
(S) Only one path is needed on the target machine: the fully qualified path to the location
where EzCheese should drop the payload. This filename refers to the location relative to
the target machine where the payload will be written and launched. Environment
variables, such as %temp% and %appdata% will be expanded on the target machine. The
payload can be written to, then launched from, the flash drive using the %drive% variable
described below. If you specify a file that is already located on the target computer,
EZCheese can just run that file in place.
(S) Optionally, click on the “Find Blacklist” button to select the text file containing any
processes that you want to check for before executing the payload. The blacklist
processes should be in a text file with one process per line. A blacklist could look like:
Avp.exe
AntiLogger.exe
(S) EZSurvey 6.3 allows for individual blacklists per payload. These blacklists only
impact the execution of the payload they are associated with. Other payloads can still run
and the survey / file collection will still execute.
(S) If you are selecting a payload that is architecture dependent you can use the radio
buttons on the top right to specify on which architecture you want the payload to run.
(S) To have a file drop to disk but not run, simply click the box “Do not execute – Just
drop”.
SECRET//20350629
8

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh