Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
3.1 Beacon Transaction
The majority of Implant-Listening Post communications occur during beacon
events. The beacon transaction is composed of six stages:
1. Decide to Beacon
The Implant decides if it should perform a beacon transaction. Two
conditions must be met before the Implant will attempt to beacon.
- Beacon Interval seconds have elapsed since the last beacon transaction.
- Target machine passes the ‘Process Check’, which is described below.
2. Beacon
The Implant sends a beacon to the Listening Post, initiating the transaction.
The beacon includes information about the state of the Implant, including:
- ID of the Implant
- Current Time on the target machine
- Time when the Implant last started execution
- Time when the Implant is scheduled to uninstall, if scheduled
- Index of Transport used to conduct current beacon
3. Download Tasking
The Implant downloads a Tasking file, if any are available, from the Listening
Post. The file is saved in the input directory with a random name between
five and twenty-five alphanumeric characters.
4. Execute Tasking
The Implant executes any tasking files it finds in the ‘input’ directory. Results
are generated, prepared for upload, and saved in the upload queue. The
results of task execution do not affect the success/failure of the beacon.
5. Upload Results
The Implant uploads files to the Listening Post from the upload queue. The
Implant will continue to upload files until the upload limit is met or the
upload queue is exhausted.
6. Update Beacon Interval
The Implant calculates the duration of the next beacon interval based on the
success or failure of the current beacon’s communications.
30
SECRET//ORCON//NOFORN