Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Fine Dining Tool Module Lists
Execution Vectors
Technique Name | Cover Application | Technique Description and Use Case |
Languages Supported | Version |
---|---|---|---|---|
None | Operator double-clicks application from removable media | |||
VLC Player Portable | Operator listens to music or views videos while collection is occurring | |||
Irfan View | Operator views/edits photos while collection is occurring | |||
ClamWin Portable | Operator "scans the target system" for malicious software while collection is occurring | |||
Kaspersky TDSS Killer Portable | Operator "scans the target system" for malicious software while collection is occurring | |||
McAfee Stinger Portable | Operator "scans the target system" for malicious software while collection is occurring | |||
Backup Software | Operator performs a backup while tool is collecting data. Cover application intended for System Administrators | |||
Document Viewer(s) | Operator views documents in portable viewer while collection is occurring | |||
Note Taker | Operator takes notes while collection is occurring | |||
Portable Browser | Operator uses portable browser with "stored favorites" and navigates web while collection is occurring. | |||
Portable Mail Viewer | Operator reads email while collection is occurring | |||
Games (2048, Sudoku, etc) | Operator plays a game while collection is occurring | |||
Portable CMD or Console | Operator uses custom shell while collection is occurring. Cover application intended for technical operators | |||
Sandisk Vault or U3 Software | Operator extracts files from an encrypted file container to start collection |
Blacklisting/Whitelisting
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Blacklist or Whitelist based upon process names | ||
Blacklist or Whitelist based upon process path | ||
Blacklist or Whitelist based upon registry key | ||
Blacklist or Whitelist based upon file existence | ||
Blacklist or Whitelist based upon internet connection |
PSP Defeats
Technique Name | Technique Description and Use Case | Version |
---|---|---|
File exists | ||
Run from location | ||
Time based functions | ||
Dynamic calls | ||
Native calls | ||
COM calls (separate process) |
DLP Defeats
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Fixed Disk | ||
Folder Junction | ||
Separate Process |
Survey
Technique Name | Technique Description and Use Case | Version |
---|
File Collection
Technique Name | Technique Description and Use Case | Version |
---|
Persistence
Technique Name | Technique Description and Use Case | Version |
---|
Hooks
Technique Name | Technique Description and Use Case | Version |
---|
Privilege Escalation
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Prompt for Administrator (UACUser Account Control) | ||
Prompt for Administrator (credential stealing?) | ||
Sandworm | Use INF file and InfDefaultInstall to bypass UACUser Account Control on Windows 7 | |
Artillery | Utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administrator | |
Calvary | Utilizes the wusa.exe auto-elevated process to write to System32 and another auto-elevated process to execute as administrator | |
Stinger | UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator |
Payload Deployment
Technique Name | Technique Description and Use Case | Version |
---|
Post Processing
Technique Name | Technique Description and Use Case | Version |
---|
Miscellaneous
Technique Name | Technique Description and Use Case | Version |
---|