Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
________________________________________________________________________
Note
(U) URLs should start with a slash ("/") but should not have
an ending slash.
5.3 (U) Management
(S//NF) To specify initial tasking for a target (i.e., when the target first beacons to the LP), create
a folder on the LP with the parent ID. Place any generic tasking created for the family of targets
in this parent folder. When a new target beacons, the LP creates a child folder for the specific
child ID and copies the parent tasking into the child folder. The LP only copies the parent tasking
to the child folder once -- when the child folder is initially created. On subsequent beacons, all
tasking will be pulled directly from the child folder. The Operator must manually copy the
target’s specific tasking from the Tasker to the target’s OUT directory as well as move files
from the target’s IN directory for processing by the Parser tool.
(S//NF) If there is both parent and child tasking for a target, it will be processed in the following
order, based on the user-configured priority:
1. Child tasking
a. Non-persistent
b. Persistent
2. Parent tasking
a. Non-persistent
b. Persistent
Note
(S//NF) All child-specific tasking will take precedence over
any existing parent tasking.
5.3.1 (U) URL Query:
(S//NF) To obfuscate the URL request and prevent caching, each request from the target will
append a template with random data to each request. The following strings define the templates
for processing URL queries.
?keyword=%s&matchtype=p
?ping?clientid=%s
?event?a=%sy=false
?h.key=%s
?activityi;src=%s
5.3.2 (U) Request Headers
(S//NF) The request header will include user configured headers as well as default ones.
User Agent: (user-configured)
Accept: (user-configured)
Accept-Language: (user-configured)
Accept-Encoding: (user-configured)
SECRET//NOFORN 10