Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
1 Assassin Beacon XML File Format
During the Assassin beacon cycle, the initial communication with the LP is always a
beacon. The beacon includes some basic information about the target and can be
useful when debugging communications issues with a target. The section below
describes the beacon XML format that Assassin uses.
XML Example
<Beacon version="1.0">
<TargetID>assn2Rlv</TargetID>
<TransportID>1</TransportID>
<CurrentDate>2011-12-12T18:21:22</CurrentDate>
<ExecuteDate>2011-12-12T17:29:49</ExecuteDate>
<UninstallOnDate />
</Beacon>
Attribute Definitions
version
The version attribute specifies the version of the beacon data format.
Field Definitions
TargetID
The TargetID field contains the target ID of the target uploading the file. It will
consist of an eight character string that consists of both the parent and child IDs.
In the example above, the ID provided by the target is “assn2Rlv”, which means
the target has a parent ID of “assn.” and a child ID of “2Rlv”.
TransportID
The TransportID field contains the index of the current transport being used to
communicate with the LP. Cross referencing this with the current transport list
definition will provide the operator with all of the information used to
communicate with the LP.
In the example above, the transport ID is 1, which means the second
configuration in the transport list is being used, due to the list indexing being
zero-based.
CurrentDate
The CurrentDate field provides the target system time and date at the time the
beacon occurred.
In the example above, the target systems current date is “2011-12-
12T18:21:22”, or December 12th, 2011 at 6:21:22 PM.
ExecuteDate
The ExecuteDate field provides the target system time when the Implant last
started.
124
SECRET//ORCON//NOFORN