Files
CyberStrikeAI/docs/en-US/c2.md
T
2026-07-07 14:04:18 +08:00

2.1 KiB

C2 Guide

中文

The built-in C2 subsystem is for authorized environments only. Disable it when not needed:

c2:
  enabled: false

Objects

  • Listener: receives sessions.
  • Session: connected implant/session.
  • Task: command or operation assigned to a session.
  • Payload: generated binary or one-liner.
  • Profile: communication configuration.
  • Event: runtime event stream.
  • File: upload/download channel.

APIs live under /api/c2; disabled C2 returns 503 c2_disabled.

Lifecycle

Correct C2 operation is a lifecycle:

  1. Authorization: project, targets, time window, allowed actions.
  2. Profile design: transport, sleep, callback address.
  3. Listener start: port, network path, logs.
  4. Payload generation: hash, purpose, delivery method.
  5. Session intake: confirm host identity and privilege.
  6. Tasking: only authorized tasks.
  7. Result archival: project facts or report.
  8. Cleanup: stop listeners, delete payloads, clear stale sessions/events.

Skipping authorization and profile design makes the rest hard to audit.

Task Classification

Level Example Approval
L1 read-only identity whoami, hostname audit agent may approve
L2 environment enum interfaces, processes strict review
L3 file access read config, download result human confirms path
L4 change execution upload, run script, sleep change human approval
L5 persistence/lateral/destructive startup, creds, delete, spread reject unless explicit authorization

Put this classification into HITL prompts for practical decisions.

Review Questions

  • Which listener received which session?
  • Who generated the payload and when?
  • Which authorized target does the session represent?
  • Which tasks were issued?
  • Were outputs saved into facts or reports?
  • Were listener and payload cleaned up?

Source Anchors

  • Manager: internal/c2/manager.go
  • Listener: internal/c2/listener.go
  • HTTP listener: internal/c2/listener_http.go
  • TCP listener: internal/c2/listener_tcp.go
  • Payload: internal/c2/payload_builder.go
  • Handler: internal/handler/c2.go
  • MCP tools: internal/app/c2_tools.go