Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Gyrfalcon v1.0 User Manual Configuration
To edit a target, use the 'e' command with the same target id. Any (or all) of the three per-target can be
specified in the edit command line:
cfg > e 1 IP=192.168.2.2/30 CB=ignore EXE=/path/to/dangerous_executable
If an element is omitted, its value will remain unchanged.
2.2.1 Target Address Specification
The IPv4 or IPv6 address is used to identify remote hosts we wish to log the SSH session for or run an
executable on. Below are some example target address specifications:
IPv4 IPv6 Notes
192.168.1.1 2001:db8::1 Target applies to a single IP address.
Implied netmask of 32 or 128 bits.
192.168.1.1/24 2001:db8::1/64 Target applies to an entire subnet.
The following IP's are targeted in the example:
192.168.1.[0-255]
2001:db8:0000:0000:[0000:0000:0000:0000 - ffff:ffff:ffff:ffff]
1.1.1.1/0 ::1/0 Netmask of zero overrides the default behavior (ignore all) for any
otherwise unmatched address.
host.domain.com Targets may be specified by hostname. However this is not
recommended. If a user connects using the ip address instead of the
hostname, the target specification will not match. IP address
specifications on the other hand, will match either way.
It is important to note that Gyrfalcon matches targets using the most specific rule in its configuration.
So, for example a configuration that specifies two targets 192.168.1.1 and 192.168.1.0/24 would use the
first target specification for remote host 192.168.1.1, and the second for all other IP addresses in the
192.168.1.0/24 subnet.
2.2.2 Target Collection Behavior
The collection behavior specifies the type of logging that Gyrfalcon should perform on SSH connections
to the matched target. The four options are identified below.
Collection
Behavior
Description
ignore Ignore the matched target. Do not log anything.
connections Record connection events to the matched target, but nothing else.
credentials Record login credentials to the matched target, but nothing else.
full Record everything: connection event, login credentials, and entire session log.
January 2013 SECRET//NOFORN 3

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh