mirror of
https://github.com/Ed1s0nZ/CyberStrikeAI.git
synced 2026-07-10 22:33:48 +02:00
69 lines
2.1 KiB
Markdown
69 lines
2.1 KiB
Markdown
# C2 Guide
|
|
|
|
[中文](../zh-CN/c2.md)
|
|
|
|
The built-in C2 subsystem is for authorized environments only. Disable it when not needed:
|
|
|
|
```yaml
|
|
c2:
|
|
enabled: false
|
|
```
|
|
|
|
## Objects
|
|
|
|
- Listener: receives sessions.
|
|
- Session: connected implant/session.
|
|
- Task: command or operation assigned to a session.
|
|
- Payload: generated binary or one-liner.
|
|
- Profile: communication configuration.
|
|
- Event: runtime event stream.
|
|
- File: upload/download channel.
|
|
|
|
APIs live under `/api/c2`; disabled C2 returns `503 c2_disabled`.
|
|
|
|
## Lifecycle
|
|
|
|
Correct C2 operation is a lifecycle:
|
|
|
|
1. Authorization: project, targets, time window, allowed actions.
|
|
2. Profile design: transport, sleep, callback address.
|
|
3. Listener start: port, network path, logs.
|
|
4. Payload generation: hash, purpose, delivery method.
|
|
5. Session intake: confirm host identity and privilege.
|
|
6. Tasking: only authorized tasks.
|
|
7. Result archival: project facts or report.
|
|
8. Cleanup: stop listeners, delete payloads, clear stale sessions/events.
|
|
|
|
Skipping authorization and profile design makes the rest hard to audit.
|
|
|
|
## Task Classification
|
|
|
|
| Level | Example | Approval |
|
|
| --- | --- | --- |
|
|
| L1 read-only identity | `whoami`, hostname | audit agent may approve |
|
|
| L2 environment enum | interfaces, processes | strict review |
|
|
| L3 file access | read config, download result | human confirms path |
|
|
| L4 change execution | upload, run script, sleep change | human approval |
|
|
| L5 persistence/lateral/destructive | startup, creds, delete, spread | reject unless explicit authorization |
|
|
|
|
Put this classification into HITL prompts for practical decisions.
|
|
|
|
## Review Questions
|
|
|
|
- Which listener received which session?
|
|
- Who generated the payload and when?
|
|
- Which authorized target does the session represent?
|
|
- Which tasks were issued?
|
|
- Were outputs saved into facts or reports?
|
|
- Were listener and payload cleaned up?
|
|
|
|
## Source Anchors
|
|
|
|
- Manager: `internal/c2/manager.go`
|
|
- Listener: `internal/c2/listener.go`
|
|
- HTTP listener: `internal/c2/listener_http.go`
|
|
- TCP listener: `internal/c2/listener_tcp.go`
|
|
- Payload: `internal/c2/payload_builder.go`
|
|
- Handler: `internal/handler/c2.go`
|
|
- MCP tools: `internal/app/c2_tools.go`
|