Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Check URLS (-c): A list of HTTP URLs that will be used to verify Internet connectivity
before communication with an LP is attempted. A random URL is selected from this list
during each beacon. It must return HTTP/200 in order for a beacon to occur
Exfiltration Window (-e): The combined total number of bytes to upload for watchpaths,
dropbox and bigfile tasks
Hibernation Period (- d): The number of seconds to wait before attempting any network
activity. The implant adds the beacon interval to the hibernation period to determine
the next date at which a beacon may be attempted
Task File (-t): A file containing tasks for the implant that will be retrieved from
the LP (see TASKING below)
Network Injection Processes (-n): Processes into which the implant may inject it's
networking bundle. The process list is scanned in the order specified. The first
process found is used until it exits
Trigger Paths (-p): Paths that create trigger events when their contents are changed.
User directory-relative paths must be begin with a tilde and must be quoted. Only Der
Starke deployments can change this option.
Uninstall Domain (-u): A domain name that will be queried when the implant uninstalls
Full Authentication (-a): Indicates whether or not the implant should attempt to use
fully authenticated SSL
Uninstall Period (-x): If set, the tool uninstalls after this many seconds have passed
and it has not successfully beaconed. If not set, the tool uninstalls after 4 forced
beacons by default
TASKING
Triton supports two types of tasks. Automatic tasks, are performed every time the implant
beacons. They are stored in the LP's "a" file, which persists across beacons on the LP. Some
automatic tasks rely on state information in the LP's "fls/s" file. Immediate tasks are
performed only once. They are stored in the LP's "fls/i" file, which is removed by the LP
after it's fetched the first time. Immediate task execution stops on the first error
encountered. Here's a sample task file showing all of the supported tasks:
####### IMMEDIATE TASKS ########
# GET: recursively get the specified files/folders, regardless of size
get:/some path/here
get:/a/file:/another file/here:/some/directory/
# PUT: put the source file on the target system at the specified location
# - file will be root owned and executable by root
# - directory containing dest file must exist
put:/sourcefile:/destfile
# EXEC: execute something with the specified parameters
# - arg 1 is the executable on target
# - if arg2 and 3 are present, and arg 2 is "stdin" then arg3 is piped to stdin
# - all other parameters are passed to the executable
exec:/some/file
exec:/some/file:args:moreargs:etc
exec:/some/file:stdin:/some/stdin/file:args:moreargs
# UNINSTALL: uninstall, optionally removing the specified files
# - Triton will remove it's files and stop running
# - Der Starke will set an NVRAM variable to indicate uninstall on next reboot
# - The update bundle will also be removed
uninstall
uninstall:/some/path:/some/other/file
# DIRWALK: recursively lists the contents of a directory, up to the specified limit
dirwalk:/some/path:1024
####### AUTOMATIC TASKS ########
# SCRIPTS: execute the specified scripts, returning the stdout/stderr
# - scripts are piped to stdin of /bin/bash
# - WARNING: do not self-remove $0, it's /bin/bash !!!
# - WARNING: execution time and output size are unbounded !!!
scripts:/some/local/path.sh:/another/script.sh
# BUNDLES: execute the specified bundles, returning their status/output
bundles:/some/local/bundle.sh:/yet/another/bndl
# WATCHPATHS: chunk/download contents of specified files/folders, oldest files first
# - exfill window is respected
# - relative paths may be specified with tilde
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh