Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
ProxyCredentials
The proxy credentials tag is used to define credentials to pass to an
authenticating proxy during communication. If configured, the tag will
include two sub-tags, Username and Password. This tag is only used
for HTTPS transport types.
PathList
The path list tag defines path elements that will be used to generate
random URL paths. During communication, the text of one of the Path
tags will be randomly selected and inserted into the randomized path
to the listening post or redirector. If no path elements are provided,
they are randomly generated on target as needed. This tag is only
used for HTTPS transport types.
ShareList
The share list tag defines share names that will be used to identify the
listening post. During communication, the LP is mounted as a share
and randomly named by the text of one of the Share tags. If no share
names are provided, they are randomly generated on target as
needed. This tag is only used for WebDAV transport types.
TempDir
The temp directory tag defines a location on target where comms
payloads can be copied before upload. The temp dir is used to remove
the file being uploaded from the Assassin directories in case of a failure
during communication that could bring scrutiny on the file in question.
This tag is only used for WebDAV transport types.
In the example above, we have defined two transports, WebDAV and HTTPS. The
WebDAV configuration allows for two failures, and will attempt to connect to the
host “assassin_lp”, which can be either a defined host name or an IP. When
connecting, it will copy the data to transfer to the “c:\temp” directory to further
obfuscate the source of the data. It will then use the provided share name to
attempt the communications. The HTTPS configuration also allows for two
failures, and it will attempt to communicate to the same LP. It will attempt this
communication on port 443, using one of the provided path elements, and it
doesn’t have any proxy credentials provided.
Uninstall
Assassin provides two methods for defining when to uninstall the target. The
uninstall time can be defined with a specific time and date, or with a set number
of seconds. The shorter of the two will be used. Both of these values are
optional, and can be changed later using a task.
In the example above, the number of seconds before uninstall has been defined
as 5 days using the Assassin complex numbering system, and the uninstall date
has been set to the 12
th
of December 2012.
Whitelist
132
SECRET//ORCON//NOFORN