Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Fine Dining Tool Module Lists
Execution Vectors
Technique Name | Technique Type | Cover Application | Categories | Technique Description and Use Case |
Languages Supported | Version |
---|---|---|---|---|---|---|
DLL Hijack - External Manifest | VLC Player Portable | User, Audio, Media | Operator listens to music or views videos while collection is occurring | v1.0 | ||
DLL Hijack |
Irfan View | User, Media, Images | Operator views/edits photos while collection is occurring | v1.0 | ||
DLL Hijack | Chrome Portable | User, Internet, Browser | Operator uses portable browser while collection is occurring | v1.0 | ||
DLL Hijack | Opera Portable | User, Internet, Browser | Operator uses portable browser while collection is occurring | v1.0 | ||
DLL Hijack | Firefox Portable | User, Internet, Browser | Operator uses portable browser while collection is occurring | v2.0 | ||
DLL Hijack | ClamWin Portable | Administrator, Technical, PSP | Operator "scans the target system" for malicious software while collection is occurring | v1.0 | ||
DLL Hijack | Kaspersky TDSS Killer Portable | Administrator, Technical, PSP | Operator "scans the target system" for malicious software while collection is occurring | v1.0 | ||
DLL Hijack | McAfee Stinger Portable | Administrator, Technical, PSP | Operator "scans the target system" for malicious software while collection is occurring | v1.0 | ||
DLL Hijack | Sophos Virus Removal | Administrator, Technical, PSP | Operator "scans the target system" for malicious software while collection is occurring | v1.0 | ||
DLL Hijack | Thunderbird Portable | User, Mail Client, Technical | Operator checks email while collection is occurring | v1.0 | ||
DLL Hijack | Opera Mail | User, Mail Client, Technical | Operator checks email while collection is occurring | |||
DLL Hijack | Backup Software | User, File Backup | Operator performs a backup while tool is collecting data. Cover application intended for System Administrators | |||
DLL Hijack | Document Viewer(s) | User, Documents | Operator views documents in portable viewer while collection is occurring | |||
DLL Hijack | Note Taker | User, Documents | Operator takes notes while collection is occurring | |||
DLL Hijack | Portable Browser | User, Internet, Browser | Operator uses portable browser with "stored favorites" and navigates web while collection is occurring. | |||
DLL Hijack | Portable Mail Viewer | User, Internet, E-Mail | Operator reads email while collection is occurring | |||
DLL Hijack | Games (2048, Sudoku, etc) | User, Games | Operator plays a game while collection is occurring | |||
DLL Hijack | Portable CMD or Console | User, Technical, Console | Operator uses custom shell while collection is occurring. Cover application intended for technical operators | |||
DLL Hijack | Sandisk Vault or U3 Software | User, Encryption | Operator extracts files from an encrypted file container to start collection | |||
DLL Hijack | 7-Zip Portable | User, Compression, Encryption | Operator extracts or collects files from a compressed and encrypted 7z file to start collection | |||
DLL Hijack | Prezi |
Blacklisting/Whitelisting
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Blacklist or Whitelist based upon process names | ||
Blacklist or Whitelist based upon process path | ||
Blacklist or Whitelist based upon registry key | ||
Blacklist or Whitelist based upon file existence | ||
Blacklist or Whitelist based upon internet connection |
PSP Defeats
Technique Name | Technique Description and Use Case | Version |
---|---|---|
File exists | ||
Run from location | ||
Time based functions | ||
Dynamic calls | ||
Native calls | ||
COM calls (separate process) | ||
Pack code stegged into image, zip, rar, or like |
DLP Defeats
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Fixed Disk | ||
Folder Junction | ||
Separate Process |
Survey
Technique Name | Category | Technique Description and Use Case | Version |
---|---|---|---|
SWMI_Addict | Configurable Full Machine Survey | v1.0 |
File Collection
Technique Name | Technique Description and Use Case | Version |
---|---|---|
File Queueing | ||
Prioritized file collection by extension and directory | ||
Smash and Grab |
Persistence
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Powershell startup script | ||
Scheduled Task | ||
DLL Hijacks | ||
WMI | ||
Service | ||
COM Junction |
Hooks
Technique Name | Hook Type | Technique Description | Use Case | Version |
---|---|---|---|---|
???? | Privilege | Uses a WMIWindows Management Instrumentation Event to asynchronously watch registry keys for specific key - if a command is written to the specified key, the command will be executed as System. | XP - 10 | v1.0 |
???? | Local/Drive | CLSID Junction Folder - | XP - 10 | v1.0 |
???? | Local/Drive | Libarary File | 7+ | v1.0 |
???? | Local/Remote/File | Stegged File Carries Payload and/or Command | XP - 10 | v1.0 |
BITS | ||||
Junction Folder (Hide CLSID extension) | ||||
Search Handler - Internet Cache, Office Document | ||||
WMI Event | ||||
Scheduled Task | ||||
Library-ms | ||||
Group Policy | ||||
Stored RPC | ||||
Remote Service |
Privilege Escalation
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Prompt for Administrator (UACUser Account Control) | ||
Prompt for Administrator (credential stealing?) | ||
Sandworm | Use INF file and InfDefaultInstall to bypass UACUser Account Control on Windows 7 | |
Artillery | Utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administrator | |
Calvary | Utilizes the wusa.exe auto-elevated process to write to System32 and another auto-elevated process to execute as administrator | |
Stinger | UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator |
Payload Deployment
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Create Process | ||
Load Library | ||
Create Process WMI | ||
Create Process Task Scheduler | ||
Create Process COM? | ||
Reflect Load Library |
Data Storage
Technique Name | Technique Description and Use Case | Version |
---|---|---|
ADS | ||
File Container | ||
Steg into images, rar's, video, audio | ||
Steg into documents (Sharpie) | ||
Covert Partition? |
Post Processing
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Raw | ||
Summary | ||
Codex | ||
Case Officer | ||
TIO |
Miscellaneous
Technique Name | Technique Description and Use Case | Version |
---|---|---|
Marble | Automated string/data obfuscation utilizing pre and post-build events | |
Logging/Reporting |