THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
-
| Table of Contents |
|---|
C2 Protocol Introduction
...
| Operation Name | Description | ||
|---|---|---|---|
ACKNOWLEDGE | Operation used by MiNiFi C2 agents to acknowledge the receipt and execution of a C2 server requested operation | ||
CLEAR | Clears flow connection queues or repositories on the C2 agent | ||
| CONSUME | Consumes a heartbeat with an agent to avoid sending from other agents. Allows multiplexing responses from a condensed agent response. | ||
DESCRIBE | Currently Unused | ||
| EXECUTE | Executes commands on the agent's operating system. This feature may be disabled for any agent. | ||
HEARTBEAT | Heartbeat provides status and operational capabilities to C2 server(s) | ||
| PAUSE | Pauses the execution of flows on | UPDATE | Updates components of the C2 agent or the flow configuration. |
| REPLICATE | Replicates agent state between agents, with the ability to place agents in standby mode until they are needed. | ||
RESTART | Restarts C2 agents | ||
| RESUME | Resumes the execution of flows on the C2 agent | ||
START | Starts components within the C2 agents | ||
| STOP | Stops components within the C2 agent | ||
| SUBSCRIBE | Allows servers or agents to subscribe to an agent's heartbeat , requesting specific information for the next heartbeat. | ||
| TRANSFER | Transfers an object between the C2 agent and C2 designator. | ||
| UPDATE | Updates components of the C2 agent or the flow configuration. |
C2 Requirements
The requirements are an evolving list that have grown organically from an implementation. Any other portions of a heartbeat are considered optional.
...
| Advanced Tables - JSON Table | ||
|---|---|---|
| ||
{"operation" : "heartbeat",
"requested_operations": [ {
"operation" : "restart",
"operationid" : "string",
"name": "component name",
}
]
} |
Acknowledgements.
...
Pause
Pauses the execution of flows on the C2 agent (if the agent is running and is not in paused state), while the agent keeps running and heartbeating.
| Advanced Tables - JSON Table | ||
|---|---|---|
| ||
{"operation" : "acknowledgeheartbeat",
"operationidrequested_operations": [ {
"operation" : "pause",
"operationid" : "string",
}
]
} |
Resume
Resumes the execution of flows on the C2 agent if the agent is in paused state.| Advanced Tables - JSON Table | ||
|---|---|---|
| ||
{"operation" : "heartbeat",
"requested_operations": [ {
"operation" : "resume",
"operationid" : "string",
}
]
} |
Acknowledgements.
Acknowledgements occur through a separate URL. This URL will receive a POST that contains the following payload, which acknowledges that the operation ID was received and executed.
| Advanced Tables - JSON Table | ||
|---|---|---|
| ||
{"operation": "acknowledge", "operationid" : " : "string" } |
MQTT Protocol
MQTT can be used as a connecting protocol in lieu of a RESTFul Service. Additionally, MQTT can be used within an enclave and then as conversion to RESTFul to support MQTT → HTTP comms.
...
| Operation Name | Description | operand/name | content/args |
|---|---|---|---|
ACKNOWLEDGE | Operation used by MiNiFi C2 agents to acknowledge the receipt and execution of a C2 server requested operation | N/A | |
| CLEAR | Clear repositories | repositories | N/A |
CLEAR | Clears the connection queues | connection | connection1=<connection name>, connection2=<connection 2> ... Will also accept a list <connection name1>,<connection name2>, ... |
| CONSUME | Consumes a heartbeat within an agent to avoid sending from other agents | N/A | N/A |
DESCRIBE | Return metrics | metrics | metricsClass=<metric class to obtain> |
| DESCRIBE | configuration | N/A | N/A |
| DESCRIBE | manifest | N/A | N/A |
| DESCRIBE | policy events – Based on the defined policies | ||
| EXECUTE | Executes commands per the agent's defined policies | command | arguments |
| HEARTBEAT | heartbeat operation – may contain embedded heartbeats. | ||
| HEARTBEAT | nonce of combined heartbeats | ||
UPDATE | Update flow | configuration | location=<URL to updated flow file> |
| UPDATE | Update c2 properties | c2 | configkey1=configvalue1, configkey2=configvalue2 ... *configkey1 is a configuration option that is updated and its new value | UPDATE | Update configuration options defined within agent policies |
| PAUSE | Pauses C2 agents | N/A | N/A |
| REPLICATE | Replicates an Agent's state to another agent; with standby true the replicant is paused and awaits restart. | agent | standby=true/false |
| REPLICATE | Tells agents to replicate state to nearby agents | server | |
RESTART | Restarts C2 agents | N/A | N/A |
| RESUME | Resumes C2 agents | N/A | N/A |
START | Starts components within the C2 agents | <name of component to start> | N/A |
| STOP | Stops components within the C2 agent | <name of component to stop> | N/A |
| SUBSCRIBE | Subscripts a C2 server to internal respondables ( Metrics , configuration, and policy/audit events ) . These will be placed into the heartbeat | enable/disable | subscribe=metrics, subscribe=configuration, subscribe=auditevents |
| TRANSFER | Transfers an object between the C2 agent and C2 designator. | N/A | N/A |
UPDATE | Update flow | configuration | location=<URL to updated flow file> |
| UPDATE | Update c2 properties | c2 | configkey1=configvalue1, configkey2=configvalue2 ... *configkey1 is a configuration option that is updated and its new value |
| UPDATE | Update configuration options defined within agent policies | ||
| UPDATE | Update agent | agent | location=<URL to agent binary or diff> partial=true/false ( optional) |
| UPDATE | Update agent | agent | location=<URL to agent binary or diff> partial=true/false ( optional) |
RESTART | Restarts C2 agents | N/A | N/A |
| REPLICATE | Replicates an Agent's state to another agent; with standby true the replicant is paused and awaits restart. | agent | standby=true/false | REPLICATE | Tells agents to replicate state to nearby agents | server |
START | Starts components within the C2 agents | <name of component to start> | N/A |
| STOP | Stops components within the C2 agent | <name of component to stop> | N/A |
| SUBSCRIBE | Subscripts a C2 server to internal respondables ( Metrics , configuration, and policy/audit events ) . These will be placed into the heartbeat | enable/disable | subscribe=metrics, subscribe=configuration, subscribe=auditevents |
| TRANSFER | Transfers an object between the C2 agent and C2 designator. | N/A | N/A
Operations and their operands for agents (Version 3)
...