Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Postprocessing Gyrfalcon v1.0 User Manual
Key Value Description
command_line The full SSH command line as typed by the target user.
dest_addr The IP address of the destination (use this to specify targets in the config file)
executed A list of dictionaries that contain output from the executed command (if any).
Each entry contains two keys ('data', and 'timestamp'). The final entry in the list
is also a dictionary with a 'status' key that indicates the return code of the
executable.
packets A list of dictionaries that contain session log data. Each dictionary in the list has
two keys ('data', and 'timestamp').
session_id Process id of the target (an artifact of the collection file, not particularly useful).
timestamp Timestamp of the start of the session.
username Name of the user that typed the ssh command (useful if the command_line did
not include a username).
10 SECRET//NOFORN January 2013