Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
18.2.3 Launcher Configuration
This section will describe the xml formats for all of the configuration values
contained under the <Launcher> XML tag. An example of a complete launcher
configuration is shown below:
XML Configuration Example
<Launcher bits="32">
<StartNow />
<InstallPersistence />
<RegKeyPath>SYSTEM\CurrentControlSet\Services\TestPath</RegKeyPath>
<RegistryDescription>Assassin 32-bit</RegistryDescription>
<RegistryName>Implanted</RegistryName>
<DllPath>c:\temp\32\32assn.dll</DllPath>
</Launcher>
Attribute Definitions
bits
The bits attribute defines the bitness of the launcher being configured, either 32
or 64. If the attribute is omitted, the configuration is assumed for all bitnesses.
Field Definitions
Start Now
The start now flag tells the builder to configure the Implant to automatically start
if the permissions at install time are at SYSTEM level.
The start now flag has no parameters, and if found in the configuration file, the
Implant will be configured to start immediately.
Install Persistence
The install persistence flag tells the builder to configure the Extractor to install
the associated injection persistence method at install time. If this flag is not set,
the Implant will have no persistence mechanism, and it will not start on reboot.
The install persistence flag has no parameters, and if found in the configuration
file, the Implant will be configured to install the persistence mechanism.
Registry Key Path
The registry key path field describes the registry entry that will be used to store
the values required for persistence. The default is to store the entries under
“SYSTEM\CurrentControlSet\Services\”.However, if the user provides the full
path, any other path can be set.
In the example above, the registry key path value will be set to
“SYSTEM\CurrentControlSet\Services\TestPath”.
Registry Description
151
SECRET//ORCON//NOFORN