Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
Appendix N: Frequently Asked Questions
What is the right way to change the beacon interval?
Run both set_beacon_params and safety in Collide with the updated interval. If the
change is meant to survive reboot, run persist_settings as well. If the safety is not
set, the next time there is no implant tasking, the interval will be reset to the
current safety value.
What can I do to get my results faster?
Generate commands with a 'push' run mode. The implant will immediately
upload the result, bypassing any files in the output queue and ignoring chunk
size.
Lower the beacon interval. This will increase the frequency at which the
implant communicates with the listening post.
Set a larger chunk size (using set_chunk_size).
Note: This can be done after a large command, resulting in the implant
uploading multiple smaller chunks during every beacon.
Send an upload_all command to the implant.
Warning: This may result in a large amount of bandwidth usage over a short
period of time.
The implant is uploading too much data; how can I slow it down?
Avoid running large commands with a 'push' run mode or placing large files in
the push directory.
Raise the beacon interval to space out upload operations.
Set a smaller chunk size (using set_chunk_size).
Note: Any file in the output queue will not be re-chunked to a smaller size;
since at least one chunk is sent every beacon, this may not actually slow down
the rate. Use clear_queue and re-run lost commands if the implant absolutely,
positively must slow down.
How can I get the output of a third-party tool on target?
Configure the tool to write result files to Assassin's output directory. The
implant will automatically ingest the file and add it to the upload queue.
Configure the tool to write result files to Assassin's push directory. The
implant will automatically ingest the file and upload it immediately.
Run the tool using execute_fg. The implant will collect the tool's stdout and
exit code before saving the result for upload. Note: Assassin blocks on
execute_fg tasks.
Run the get or get_walk commands on the tool's output file or directory.
How can I tell if the implant DLL is running?
If the DLL implant is running, the DLL will be present at the configured location on
the file system and be undeleteable. If you run 'tasklist /m <DLL name>' from the
command prompt, the module should be present in the appropriate process,
typically svchost.exe.
183
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh