THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Primary communications are carried over a C2 heartbeat. The heartbeat contains operational information about the C2 agent and can occur a configurable frequency. The heartbeat provides status information to the C2 server. The response from the heartbeat contains requested operations from the C2 server. These operations are then acknowledged if/when they are completed. This means that the heartbeat is the only operation initiated by the C2 agent and the C2 server responds directly to these heartbeats.
Protocols
HTTP/S Protocol
The HTTP/S protocol supports a url for heartbeating and acknowledging operations. These endpoints support the JSON structures defined below. C2 agents must send a heartbeat, defined above, to update the C2 server of its status and to receive operations. The frequency of these calls are up to the C2 agent to define.
Heartbeat structure
Heartbeats consist of a POST of the following Schema to the C2 heartbeat url. Metrics is a configurable list of metrics that can be returned, so the entirety of that object is optional.
| Advanced Tables - JSON Table | ||||
|---|---|---|---|---|
| ||||
{
"Components" : {
"FlowController" : "enabled",
"ProcessorName" : "enabled/disabled"
},
"DeviceInfo" : {
"NetworkInfo" : {
"deviceid" : "string",
"hostname" : "string",
"ip" : "string"
},
"SystemInformation" : {
"machinearch" : "string",
"physicalmem" : "string",
"vcores" : "string"
}
},
"metrics" : {
"ProcessMetrics" : {
"CpuMetrics" : {
"involcs" : "string"
},
"MemoryMetrics" : {
"maxrss" : "string"
}
},
"QueueMetrics" : {
"Connection" : {
"datasize" : "string",
"datasizemax" : "string",
"queued" : "string",
"queuedmax" : "string"
}
},
"RepositoryMetrics" : {
"flowfile" : {
"full" : "1/0",
"running" : "1/0",
"size" : "string"
},
"provenance" : {
"full" : "1/0",
"running" : "1/0",
"size" : "string"
}
}
},
"operation" : "heartbeat",
"state" : {
"running" : "true/false",
"uptime" : "string"
}
} |
| Advanced Tables - JSON Table | ||
|---|---|---|
| ||
{"operation" : "heartbeat",
"requested_operations": [ {
"operation" : "string",
"operationid": "string",
"name": "string",
"content" : [
{ "string" : "string" }
]
}
]
} |
...