Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
6.6 Get Walk
The get walk command will cause the target to scan the targets directory structure
and return results based on the parameters provided to the command.
XML Example
<GetWalk>
<RemoteDirectory>c:\temp</RemoteDirectory>
<Wildcard>*</Wildcard>
<Depth>10</Depth>
<TimeCheckType>greater</TimeCheckType>
<Date>2010-01-01T12:00:00</Date>
<GetFile>
<Bytes>1m</Bytes>
<Offset>5m</Offset>
</GetFile>
</GetWalk>
Field Definitions
Remote Directory
The remote directory field defines the full path to the directory that the target
Implant is to begin the scan in.
In the example above, the starting directory is “c:\temp”.
Wildcard
The wildcard field defines the expression to use when searching through the file
structure. The more refined the expression, the smaller the results will be.
In the example above, the wildcard is set to “*”, which will return data for every
file found in the scan.
Depth
The depth field tells the Implant how many directories down from the starting
directory to search. A depth of 0 will only scan the starting directory.
In the example above, the depth is set to 10, which, depending on the search
string, could yield a very large result
Time Check Type
The time check type field defines what type of comparison to use when checking
files. This field is used in conjunction with the Date field and can be any one of
the following values: no_check, greater, and less.
In the example above, the time check type field is set to “greater”, meaning only
files that have a modified date greater than the date provided in the date field
will be included in the results.
Date
163
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh