C2 Overview

C2 (Command and Control) consists of C2 Server and C2 Agents (clients). MiNiFi agents implementing the C2 protocol are able to communicate with the C2 server. Currently an HTTP/HTTPS RESTFul paradigm exists to support C2 capabilities to MiNiFi C2 agents. At the core of the protocol we find the periodic heartbeat from clients to server. Every command and control mechanism is driven and triggered by the responses to the heartbeat messages. Building on top of this "flipped" direction the C2 Server doesn't need to be aware of the clients location beforehand, it will be notified by them via the first heartbeat messages.

C2 Operations

Agents are controlled via operation (and operand) combinations sent in the heartbeat responses.

C2 Agent → C2 Server

Operation NameDescription
HEARTBEATHeartbeat provides status and operational capabilities to C2 server(s)
ACKNOWLEDGEUsed by MiNiFi C2 agents to acknowledge the receipt and execution of a C2 server requested operation

C2 Server → C2 Agent

Operation NameOperand NameArgumentsDescription
DESCRIBEMANIFESTN/ARequesting manifest information from the agent
  • location: the URI where the new configuration can be downloaded from
  • persist: true/false - whether the new configuration should be persisted or not

Initiating flow configuration update on the agent side. Steps:

  • Flow is published on the server side
  • Agent receives an UPDATE / CONFIGURATION operation in the next heartbeat response
  • Agent downloads the flow from the "location"
  • Agent applies the new flow
  • Agent acknowledges the UPDATE operation to server with success result 

Reference Implementations

  • No labels