Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Fine Dining Tool Module Lists
Execution Vectors
Technique Name | Cover Application | Technique Description and Use Case |
Languages Supported | Version |
---|---|---|---|---|
None | Operator double-clicks application from removable media | N/A | 1.0 | |
VLC Player Portable | Operator listens to music or views videos while collection is occurring | |||
Irfan View | Operator views/edits photos while collection is occurring | |||
ClamWin Portable | Operator "scans the target system" for malicious software while collection is occurring | |||
Kaspersky TDSS Killer Portable | Operator "scans the target system" for malicious software while collection is occurring | |||
McAfee Stinger Portable | Operator "scans the target system" for malicious software while collection is occurring | |||
Backup Software | Operator performs a backup while tool is collecting data. Cover application intended for System Administrators | |||
Document Viewer(s) | Operator views documents in portable viewer while collection is occurring | |||
Note Taker | Operator takes notes while collection is occurring | |||
Portable Browser | Operator uses portable browser with "stored favorites" and navigates web while collection is occurring. | |||
Portable Mail Viewer | Operator reads email while collection is occurring | |||
Games (2048, Sudoku, etc) | Operator plays a game while collection is occurring | |||
Portable CMD or Console | Operator uses custom shell while collection is occurring. Cover application intended for technical operators | |||
Sandisk Vault or U3 Software | Operator extracts files from an encrypted file container to start collection |
Blacklisting/Whitelisting
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Blacklist or Whitelist based upon process names | ||
Blacklist or Whitelist based upon process path | ||
Blacklist or Whitelist based upon registry key | ||
Blacklist or Whitelist based upon file existence | ||
Blacklist or Whitelist based upon internet connection |
PSP Defeats
Technique Name | Technique Description and Use Case | Version |
---|---|---|
File exists | ||
Run from location | ||
Time based functions | ||
Dynamic calls | ||
Native calls | ||
COM calls (separate process) | ||
Pack code stegged into image, zip, rar, or like |
DLP Defeats
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Fixed Disk | ||
Folder Junction | ||
Separate Process |
Survey
Technique Name | Category | Technique Description and Use Case | Version |
---|
File Collection
Technique Name | Technique Description and Use Case | Version |
---|---|---|
File Queueing | ||
Prioritized file collection by extension and directory | ||
Smash and Grab |
Persistence
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Powershell startup script | ||
Scheduled Task | ||
DLL Hijacks | ||
WMI | ||
Service | ||
COM Junction |
Hooks
Technique Name | Hook Type | Technique Description and Use Case | Version |
---|---|---|---|
BITS | |||
Junction Folder (Hide CLSID extension) | |||
Search Handler - Internet Cache, Office Document | |||
WMI Event | |||
Scheduled Task | |||
Library-ms | |||
Group Policy | |||
Stored RPC | |||
Remote Service |
Privilege Escalation
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Prompt for Administrator (UACUser Account Control) | ||
Prompt for Administrator (credential stealing?) | ||
Sandworm | Use INF file and InfDefaultInstall to bypass UACUser Account Control on Windows 7 | |
Artillery | Utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administrator | |
Calvary | Utilizes the wusa.exe auto-elevated process to write to System32 and another auto-elevated process to execute as administrator | |
Stinger | UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator |
Payload Deployment
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Create Process | ||
Load Library | ||
Create Process WMI | ||
Create Process Task Scheduler | ||
Create Process COM? | ||
Reflect Load Library |
Data Storage
Technique Name | Technique Description and Use Case | Version |
---|---|---|
ADS | ||
File Container | ||
Steg into images, rar's, video, audio | ||
Steg into documents (Sharpie) | ||
Covert Partition? |
Post Processing
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Raw | ||
Summary | ||
Codex | ||
Case Officer | ||
TIO |
Miscellaneous
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Marble | Automated string/data obfuscation utilizing pre and post-build events | |
Logging/Reporting |