mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 14:28:43 +02:00
Add files via upload
This commit is contained in:
@@ -0,0 +1,68 @@
|
||||
# C2 Guide
|
||||
|
||||
[中文](../zh-CN/c2.md)
|
||||
|
||||
The built-in C2 subsystem is for authorized environments only. Disable it when not needed:
|
||||
|
||||
```yaml
|
||||
c2:
|
||||
enabled: false
|
||||
```
|
||||
|
||||
## Objects
|
||||
|
||||
- Listener: receives sessions.
|
||||
- Session: connected implant/session.
|
||||
- Task: command or operation assigned to a session.
|
||||
- Payload: generated binary or one-liner.
|
||||
- Profile: communication configuration.
|
||||
- Event: runtime event stream.
|
||||
- File: upload/download channel.
|
||||
|
||||
APIs live under `/api/c2`; disabled C2 returns `503 c2_disabled`.
|
||||
|
||||
## Lifecycle
|
||||
|
||||
Correct C2 operation is a lifecycle:
|
||||
|
||||
1. Authorization: project, targets, time window, allowed actions.
|
||||
2. Profile design: transport, sleep, callback address.
|
||||
3. Listener start: port, network path, logs.
|
||||
4. Payload generation: hash, purpose, delivery method.
|
||||
5. Session intake: confirm host identity and privilege.
|
||||
6. Tasking: only authorized tasks.
|
||||
7. Result archival: project facts or report.
|
||||
8. Cleanup: stop listeners, delete payloads, clear stale sessions/events.
|
||||
|
||||
Skipping authorization and profile design makes the rest hard to audit.
|
||||
|
||||
## Task Classification
|
||||
|
||||
| Level | Example | Approval |
|
||||
| --- | --- | --- |
|
||||
| L1 read-only identity | `whoami`, hostname | audit agent may approve |
|
||||
| L2 environment enum | interfaces, processes | strict review |
|
||||
| L3 file access | read config, download result | human confirms path |
|
||||
| L4 change execution | upload, run script, sleep change | human approval |
|
||||
| L5 persistence/lateral/destructive | startup, creds, delete, spread | reject unless explicit authorization |
|
||||
|
||||
Put this classification into HITL prompts for practical decisions.
|
||||
|
||||
## Review Questions
|
||||
|
||||
- Which listener received which session?
|
||||
- Who generated the payload and when?
|
||||
- Which authorized target does the session represent?
|
||||
- Which tasks were issued?
|
||||
- Were outputs saved into facts or reports?
|
||||
- Were listener and payload cleaned up?
|
||||
|
||||
## Source Anchors
|
||||
|
||||
- Manager: `internal/c2/manager.go`
|
||||
- Listener: `internal/c2/listener.go`
|
||||
- HTTP listener: `internal/c2/listener_http.go`
|
||||
- TCP listener: `internal/c2/listener_tcp.go`
|
||||
- Payload: `internal/c2/payload_builder.go`
|
||||
- Handler: `internal/handler/c2.go`
|
||||
- MCP tools: `internal/app/c2_tools.go`
|
||||
Reference in New Issue
Block a user