Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
________________________________________________________________________
The word 'overt' in a prompt for configuration information indicates the information will be
visible to a user logged on to the target machine. Care should be taken to ensure these values
are consistent with the operational CONOP.
Configuration settings that can be modified when the implant is on target are indicated in the
prompt text.
9.1 (U) Usage
(S//NF) This section contains information for parsing encrypted data from an implant. Figure 20
shows the command line options for the Parser.
Warning
(S//NF) Implant parsing may be completed on the low-side;
however, the operator should be aware that cryptographic key
data will be in the clear.
(S//NF) By default, the Parser will use the local directory for input and output directory
locations. A single receipt file or directory of receipt files can be included as a command line
option. By default, the builder_output\receipts directory will be used to process receipts built
with the Builder.
Parser Tool
usage: parser.py [-h] [-r RECEIPT] [-i INPUT] [-d] [-o OUTPUT] [-m]
Parser Configuration
optional arguments:
-h, --help show this help message and exit
-r RECEIPT, --receipt RECEIPT
This argument defines an existing receipt filename or
directory of receipts to be used for processing.
-i INPUT, --input INPUT
This argument provides the ability to import a file
or directory of files.
-d, --debug Enable decoding of unencrypted files from target
-o OUTPUT, --output OUTPUT
This argument provides the output path location.
-m, --nomark This argument provides the ability to reuse a
processed directory. By default, the parsing code
will mark processed files with a date prefix. (e.g.
20150908_1010_{30996559-C169-490B-A40B-4ADB597E0D19}.
Figure 20 - (S//NF) Parser Command Line Options
9.2 (U) Command Line Options
9.2.1 (U) RECEIPT
(S//NF) This argument defines an existing receipt filename to be used for processing. This is the
file name with full path to the receipt file generated by the Builder.
SECRET//NOFORN 37

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh