Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
3.3 Process Check
The Assassin Implant may be configured to check the target’s running process
list before performing a beacon. The contents of the process list are compared
against two sets of processes defined at build time, the blacklist and the
whitelist. These lists are specified by the image names of the processes in
question.
The blacklist is a set of processes that prevent the performance of a beacon
transaction. If any of the processes in the blacklist is running, the beacon is
aborted.
The whitelist is a set of processes that enable the performance of a beacon
transaction. If none of the processes in the whitelist is running, the beacon is
aborted.
If a beacon is aborted due to a failed process check, it is considered a ‘failed
beacon’ for the purposes of the failure threshold; see section 6.3 on Failure
Threshold.
33
SECRET//ORCON//NOFORN