Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
________________________________________________________________________
• The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
• Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
9.1 (U) Usage
(S//NF) This section contains information for parsing encrypted data from an implant. Figure 20
shows the command line options for the Parser.
Warning
(S//NF) Implant parsing may be completed on the low-side;
however, the operator should be aware that cryptographic key
data will be in the clear.
(S//NF) By default, the Parser will use the local directory for input and output directory
locations. A single receipt file or directory of receipt files can be included as a command line
option. By default, the builder_output\receipts directory will be used to process receipts built
with the Builder.
Parser Tool
usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m]
Parser Configuration
optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename or
directory of receipts to be used for processing.
-i INPUT, --input INPUT
This argument provides the ability to import a file
or directory of files.
-d, --debug Enable decoding of unencrypted files from target
-o OUTPUT, --output OUTPUT
This argument provides the output path location.
-m, --nomark This argument provides the ability to reuse a
processed directory. By default, the parsing code
will mark processed files with a date prefix. (e.g.
20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}.
Figure 20 - (S//NF) Parser Command Line Options
9.2 (U) Command Line Options
9.2.1 (U) RECEIPT
(S//NF) This argument defines an existing receipt filename to be used for processing. This is the
file name with full path to the receipt file generated by the Builder.
SECRET//NOFORN 37