Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
The beacon configuration tasks are used to modify the settings related to when
Assassin beacons. This includes both beacon timing parameters and blacklist
and whitelist checks against the process list.
set_beacon_params <run_mode> [initial=0] [default_int=0] [max_int=0] [factor=0.0]
[jitter=0]
Set one or more of the beacon parameters. Note that 0 indicates ‘do not alter
this value’.
run_mode
Code specifying the run mode, represented by combining the
following keys:
‘r’ - run the task on receipt
‘s’ - run the task on every Implant startup
‘p’ - push the task results to the LP immediately
initial
Initial wait after Implant startup before beacon (default = 0)
default_int
Default interval between beacons (default = 0)
max_int
Maximum interval between beacons (default = 0)
factor
Backoff factor to modify beacon interval (default = 0)
If beacon fails, multiply beacon interval by factor.
If beacon succeeds, restore beacon interval to default.
jitter
Range to vary the timing of beacons (default = 0)
set_blacklist <run_mode> [programs=[]] [files=[]]
Set the target blacklist. If no parameters are provided, the command will enter
a subshell; see section 9.4.2on Program List subshells.
run_mode
Code specifying the run mode, represented by combining the
following keys:
‘r’ - run the task on receipt
‘s’ - run the task on every Implant startup
‘p’ - push the task results to the LP immediately
programs
Set of executable names to include in the blacklist, specified as
a Python list or tuple
files
Set of blacklist files, specified as a Python list or tuple
Blacklist files are whitespace-delimited lists of executable
names to include in a target blacklist.
set_whitelist <run_mode> [programs=[]] [files=[]]
Set the target whitelist. If no parameters are provided, the command will enter
a subshell; see section 9.4.2on Program List subshells.
run_mode
Code specifying the run mode, represented by combining the
following keys:
‘r’ - run the task on receipt
‘s’ - run the task on every Implant startup
‘p’ - push the task results to the LP immediately
104
SECRET//ORCON//NOFORN