Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Directory used for this target in the deploy directory
--base-url BASE_URL Base URL that will be prepended to the deploy-dir
File
Explanation of values:
• Name – Human readable name, never sent to target.
• Architecture – Target machine architecture. AM must match the actual
machine architecture, and cannot run as 32-bit on a 64-bit machine.
• LP Host – Hostname/IP address of the Octopus Listening Post
• LP Port – Port to call in to. Usually 443 for standard HTTPs
• Dead Man Delay – If this time span passes without a successful connection to
the LP AM will uninstall. Can be entered as a “complex number,” i.e., ‘4d3h’
for four days, three hours.
• Beacon Interval – How often to call in to the LP
• Jitter – Random offset to apply to the beacon interval, such that the actual
interval will be calculated as Interval + rand(-Jitter, +Jitter)
• Chunk Size – Target amount of data to exfiltrate on each beacon cycle. Note
that more data may be sent if a gremlin absolutely demands to send more.
• Uninstall Date – Date, in ISO format, that AM will automatically uninstalled on.
• Initial Delay – Delay after each reboot until AM begins beaconing and
execution.
• Deploy Directory – Unique web path that files will be GET and POSTed to/from.
• Base URL – Prepended common directory for all targets of the same LP. The
final callback URL will be https://<LP>/<Base URL>/<Deploy Dir>/. That
must be unique for each individual target.
Note that while multiple targets can reasonably share a single build, there should be
a 1-to-1 relationship between targets and actual deployed instances.
29
SECRET//NOFORN