Files
CyberStrikeAI/docs/en-US/c2.md
T
2026-07-07 14:04:18 +08:00

69 lines
2.1 KiB
Markdown

# C2 Guide
[中文](../zh-CN/c2.md)
The built-in C2 subsystem is for authorized environments only. Disable it when not needed:
```yaml
c2:
enabled: false
```
## Objects
- Listener: receives sessions.
- Session: connected implant/session.
- Task: command or operation assigned to a session.
- Payload: generated binary or one-liner.
- Profile: communication configuration.
- Event: runtime event stream.
- File: upload/download channel.
APIs live under `/api/c2`; disabled C2 returns `503 c2_disabled`.
## Lifecycle
Correct C2 operation is a lifecycle:
1. Authorization: project, targets, time window, allowed actions.
2. Profile design: transport, sleep, callback address.
3. Listener start: port, network path, logs.
4. Payload generation: hash, purpose, delivery method.
5. Session intake: confirm host identity and privilege.
6. Tasking: only authorized tasks.
7. Result archival: project facts or report.
8. Cleanup: stop listeners, delete payloads, clear stale sessions/events.
Skipping authorization and profile design makes the rest hard to audit.
## Task Classification
| Level | Example | Approval |
| --- | --- | --- |
| L1 read-only identity | `whoami`, hostname | audit agent may approve |
| L2 environment enum | interfaces, processes | strict review |
| L3 file access | read config, download result | human confirms path |
| L4 change execution | upload, run script, sleep change | human approval |
| L5 persistence/lateral/destructive | startup, creds, delete, spread | reject unless explicit authorization |
Put this classification into HITL prompts for practical decisions.
## Review Questions
- Which listener received which session?
- Who generated the payload and when?
- Which authorized target does the session represent?
- Which tasks were issued?
- Were outputs saved into facts or reports?
- Were listener and payload cleaned up?
## Source Anchors
- Manager: `internal/c2/manager.go`
- Listener: `internal/c2/listener.go`
- HTTP listener: `internal/c2/listener_http.go`
- TCP listener: `internal/c2/listener_tcp.go`
- Payload: `internal/c2/payload_builder.go`
- Handler: `internal/handler/c2.go`
- MCP tools: `internal/app/c2_tools.go`