Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
7.9.2 Directories
The Implant Executable will create five directories on the target file system that
is uses to manage communications and tasking. The Implant will ignore
subdirectories, allowing the directories to be nested with other directories,
including other Assassin directories, without affecting operation.
Input
Assassin tasking files are downloaded to and stored in the input directory until
they can be processed by the Implant. Tasking files are given a random filename
between five and twenty-five alphanumeric characters.
Startup
Assassin tasking files designated for startup execution are moved to the startup
directory and processed once whenever the Implant starts. They retain the
filename they had/were given in the input directory.
The directory may also contain a configuration file of the implant’s persisted
settings with a random filename and extension.
Output
Files placed in the output directory are packaged and placed in the upload queue
for transmission during the next beacon.
Third-party tools may use this feature to forward files to the listening post.
Push
Files placed in the push directory are packaged and uploaded immediately,
ignoring the beacon interval and chunk size. If the Implant is unable to upload
the file, it is placed in the upload queue with priority status.
Third-party tools may use this feature to forward files to the listening post.
Staging
The Implant uses the staging directory to manage its upload queue. Files created
in this directory are given a random filename of eight alphanumeric characters
and a numeric counter.
This directory is reserved for Implant use. The behavior of files placed in this
directory is undefined.
54
SECRET//ORCON//NOFORN