Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Shadow v1.0 User Guide SECRET
1.0 (U) Introduction
(S) Shadow is an "airgap" jumping tool which utilizes removable USB drives as transports on a
network. Once multiple Shadow instances are installed and share drives, tasking and payloads
can be sent back-and-forth.
1.1 (U) Requirement
(S) The Intelligence Community has identified the need (requirement # 2012-0552) for a
capability to conduct asset validation via covert survey of asset's machine.
1.2 (U) Purpose
(S) This User Guide describes how to use Shadow v1.0. The document provides the Shadow
configuration process, execution instructions, and postprocessor process.
2.0 (U) System Overview
(S) Configuration
o (S) Shadow uses a Windows GUI
application for configuration. The user can
select how much free space to leave on the
target drive when storing data locally,
whether or not to convert all usb drives to
shadow-usable drives (create covert
partition), name/description of the service,
and default storage directories.
o (S) The Inbox Directory is the
receiving directory, that is only used by
servers. It's the directory the stores the
collected take to later be postprocessed.
o (S) The Outbox directory is used
by all Shadow instances, and it stores the
Incoming/outgoing packets for tasking.
(S) Deployment and Execution
o (S) Once the configure tool completes successfully, you can deploy Shadow
on target machines. This installation mechanism can be whatever the operator selects,
so long as it gives us admin privileges to install Shadow as a service. To install
Shadow, run from a commandline, "Shadow.exe -i" or "Shadow.exe -iS" to install as
a client or server, respectively.
SECRET
1

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh