Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
LISTENING POST OPTIONS
Aeris is compatible with either a standalone, CGI-based LP or with Collide. The differences
are described below.
Note: Both the Collide lowside and the CGI standalone server require the implant's
certificates for mutually authenticated SSL. The example script - inst.txt contains example
instructions on how to put the certs in the correct place on the LP. We recommend that the
operator not run this script directly, but use it only as a guide.
COLLIDE INTEGRATION
The Aeris Collide handlers are Python packages used to interface between Aeris and the
Collide Automated Implant Command and Control system. Aeris provides handlers that define
the user interface and facilitate Implant communication. Different sets of handlers are used
for the Collide high-side and low-side to limit the exposure of code on the unclassified,
internet-facing low-side.
For information on installing and running Collide, see the Collide User's Guide. This guide
will only cover the use of the handlers developed for Aeris and special instructions that
must be done to setup the keys on the Listening post.
High-side Handlers
The high-side Collide handlers are responsible for defining the user interface, providing
crypto services, and supporting the post processing of Implant communications.
Payload
Aeris's Collide Payload defines the user interface required to task implants. The UI
provided through Collide is similar to that provided in the Tasker. One distinction is that
the Collide consumes tasks directly while the Tasker saves tasks to a file. Another is that
the receipt file with keys is automatically loaded when a user selects a target The
high-side payload consists of one file, the payload init file. The high-side payload
requires the Aeris Python module, named 'aeris'. The module should be located within the
Aeris payload on the Collide high-side.
Registering a new Target
To register a new target on Collide, in the Collide prompt type registertarget .
Post Processing Rule
Aeris includes one Collide rule intended to support the post processing of result files,
called 'Aeris_meta_extraction_rule.py'. The rule simply sends encrypted copies of files
received from any Aeris Implant to the input directory of the Post Processor.
The path of the directory may be specified in the body of the rule by modifying the value of
_POST_PROCESSOR_INPUT_DIR; it defaults to '/tmp/Aeris_input/'.
Low-side Handlers
The low-side handlers are responsible for Aeris communications via the Collide listening
post.
The low-side payload consists of the payload init file and handler for HTTPS . Unlike the
high-side, the low-side payload does not require the Aeris Python module
Adding Certs to Low-Side
To configure apache on the low side with the right domains and certs for each domain, the
operator needs to run the -inst.txt script on the LP for each domain. This file is found in
the lp folder in the build directory for the implant. If there are multiple domains
registered, all of them must be ran on the low side.
To run those scripts on the LP, the operator must first log in as root, which is explained
in the Collide documentation. Then the operator must remount the partition as read write,
using the following command:
# mount -n -o remount,rw /
Run the script for each domain and log out.
SECRET//NOFORN