Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Gyrfalcon v1.0 User Manual Forensic Signature
execution are returned over the same network connection (all encrypted of course). It simply appears on
the network as if the legitimate session contains more data than it actually does.
5.4 Logging
SSH does log information about its control socket and duplexed connection when invoked using the -v
option. Hence, gyrfalcon does not attach to SSH sessions invoked in this way.
For a remote execution, nothing is logged on the remote host unless the remote SSH daemon is
configured to do so. The execute command is invoked as:
$ ssh user@remotehost /tmp/.x
So the command is not logged by the remote user's shell (because it causes sshd to fork and exec /tmp/.x
directly), rather than run it from a shell prompt as an interactive session would.
As noted in the dependencies section, the SELinux boolean 'deny_ptrace' can prevent Gyrfalcon from
running. If the boolean is enabled gyrfalcon will fail AND the failure will be logged.
January 2013 SECRET//NOFORN 13

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh