Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
By default, processes that are already running when AM starts up are considered for
targeting. If the desire is to only target new processes, the –r flag can be specified./
Once a process has been marked for being affected the Process gremlin waits delay
seconds (plus or minus up to the jitter). In the case of “kill” and “lock”, the –d value
is used for when the activity occurs. With “delay” the –d value is used for how long,
starting immediately, the process is delayed from continuing execution.
Note that AM has no built in self-preservation, and so Process will happily kill the
process that it is currently running in without complaint, if that’s what the
configuration says. This is probably not desired, so don’t kill svchost.exe or other
processes hosting AM.
38
SECRET//NOFORN