Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Directory used for this target in the deploy directory
--base-url BASE_URL Base URL that will be prepended to the deploy-dir
File
Explanation of values:
Name – Human readable name, never sent to target.
Architecture – Target machine architecture. AM must match the actual
machine architecture, and cannot run as 32-bit on a 64-bit machine.
LP Host – Hostname/IP address of the Octopus Listening Post
LP Port – Port to call in to. Usually 443 for standard HTTPs
Dead Man Delay – If this time span passes without a successful connection to
the LP AM will uninstall. Can be entered as a “complex number,” i.e., ‘4d3h’
for four days, three hours.
Beacon Interval – How often to call in to the LP
Jitter – Random offset to apply to the beacon interval, such that the actual
interval will be calculated as Interval + rand(-Jitter, +Jitter)
Chunk Size – Target amount of data to exfiltrate on each beacon cycle. Note
that more data may be sent if a gremlin absolutely demands to send more.
Uninstall Date – Date, in ISO format, that AM will automatically uninstalled on.
Initial Delay – Delay after each reboot until AM begins beaconing and
execution.
Deploy Directory – Unique web path that files will be GET and POSTed to/from.
Base URL – Prepended common directory for all targets of the same LP. The
final callback URL will be https://<LP>/<Base URL>/<Deploy Dir>/. That
must be unique for each individual target.
Note that while multiple targets can reasonably share a single build, there should be
a 1-to-1 relationship between targets and actual deployed instances.
29
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh