Skip to content

feat: Trigger C2 — authenticated UDP wake + ad-hoc exec for dormant implants#2270

Open
0x90pkt wants to merge 7 commits into
BishopFox:masterfrom
0x90pkt:feature/trigger-implant
Open

feat: Trigger C2 — authenticated UDP wake + ad-hoc exec for dormant implants#2270
0x90pkt wants to merge 7 commits into
BishopFox:masterfrom
0x90pkt:feature/trigger-implant

Conversation

@0x90pkt

@0x90pkt 0x90pkt commented Jun 2, 2026

Copy link
Copy Markdown

Summary

Adds Trigger C2 — an authenticated, signed-UDP task dispatcher enabling
two operational modes for dormant implants:

  • Ad-hoc exec: bidirectional UDP command execution. Operator sends a
    signed packet with a command, implant executes it and returns output
    over UDP. No C2 session needed.
  • Wake session: operator sends a signed wake packet (with optional
    transport hint), implant establishes an interactive session over mTLS
    or WireGuard.

Trigger implants are completely silent until woken — zero network traffic.

What's included

Layer Components
Client generate trigger, triggers (indexed list + target tracking), trigger send (by index or IP, --comms transport selection, --output file export), trigger dispatch, secretinput (3-tier secret resolution)
Server Trigger listener (UDP, HMAC, replay, rate-limit, audit), handlers (wake-session, stop-job, exec, reverse-shell), TTL reaper (server-side fallback), TriggerActivity tracking, daemon restore
Implant Passive UDP listener (triggerwake), wake loop (re-wakeable after session kill), exec with concurrency cap, transport preference on wake, runtime TTL with activity reset
Proto TriggerListenerReq/Job, TriggerFireReq/Resp, 4 gRPC methods, ImplantConfig trigger/TTL fields
Docs Trigger C2.md — architecture, commands, security model, wire protocol

Design highlights

  • No beacon mode. Trigger implants always establish interactive sessions.
  • Session kill = return to dormant. sessions -k does NOT kill the process — the implant re-enters the wake-wait loop and can be woken again.
  • TTL is runtime, not build-time. Countdown starts at execution, resets on every authenticated operator signal. Server-side reaper as defense-in-depth fallback.
  • Two-layer auth. HMAC-SHA256 (constant-time) + per-client allowlist + replay protection + timestamp validation.
  • Wire protocol. Standalone library at github.com/0x90pkt/trigger with locked wire-compat regression vectors.

Testing

  • 46+ unit tests across triggerwake, secretinput, generate, handlers, DB models
  • Manual test plan covering all phases: generate, deploy, dormant verify, ad-hoc exec, wake session with transport selection, kill/re-wake cycles, self-destruct, TTL expiry + activity reset, auth failures

Commits

Organized per contribution guidelines:

  1. vendor: — trigger protocol library (separate from code changes)
  2. proto: — protobuf schema + generated code
  3. feat(server): — DB models, listener, handlers, RPC, TTL reaper
  4. feat(implant): — triggerwake transport, wake loop, TTL, kill handler
  5. feat(client): — generate trigger, triggers list, trigger send, secretinput
  6. docs: — Trigger C2.md + .gitignore
  7. chore: — remove dev artifacts

All commits GPG-signed.

Closes #2269

0x90pkt added 7 commits June 1, 2026 23:52
Adds the trigger wire protocol library (HMAC-SHA256 authenticated
JSON-over-UDP) to both server and implant vendor trees. Includes
TriggerMessage, TriggerResponse types, canonical JSON signing,
response encode/decode/verify, replay cache, rate limiter, and
audit sink. Server vendor includes the full listener + handler
framework; implant vendor includes only the protocol package
(minimal footprint).
- TriggerListenerReq/TriggerListenerJob for listener lifecycle
- TriggerFireReq/TriggerFireResp for bidirectional exec
- TriggerDispatchTaskReq for server-side task dispatch
- TriggerIntentBinding oneof for task configuration
- ImplantConfig fields: IncludeTriggerWake, TriggerWakeBindAddr,
  TriggerWakeSecret, TriggerWakeAllowedClientIDs, TTL fields
- Four new gRPC methods: TriggerListener, TriggerFire,
  TriggerDispatchTask, TriggerListenerStop
Server-side trigger C2 implementation:

- TriggerListener: UDP listener with configurable task bindings,
  HMAC validation, replay protection, rate limiting, audit logging
- Handlers: wake-session, stop-job, exec, reverse-shell with
  concurrency caps and context deadlines
- DB models: TriggerListener persistence for daemon restore,
  ImplantConfig trigger-wake/TTL field round-trip, TriggerActivity
  for tracking implant last-seen state
- TTL reaper: background sweep fires self-destruct at expired
  trigger implants as server-side fallback (1hr cooldown)
- RPC: TriggerFire (bidirectional exec with response),
  TriggerDispatchTask, TriggerListener start/stop
- Daemon restore: trigger listeners survive server restart
Implant-side trigger-wake implementation:

- triggerwake: passive UDP listener with HMAC validation, replay
  cache, client allowlist. Three fixed intents: wake (session
  callback with transport selection), exec (bidirectional command
  execution, concurrency cap=3), self-destruct
- Wake loop: trigger implants block on WakeChannel, establish
  session, return to dormant on session kill. Re-wakeable
  indefinitely without process restart.
- Transport selection: wake packet carries preferred transport hint
  (mtls/wg); C2Generator reorders URI list to prioritize it
- TTL watchdog: runtime countdown (not build-time), resets on every
  authenticated trigger packet via burn.ResetTTL()
- Kill handler: template-gated os.Exit for trigger implants --
  gracefully closes session instead of terminating process
- Response source address validation in FireTriggerPacket
Client-side trigger C2 commands:

- generate trigger: builds trigger implants with --trigger-wake-bind
  required. No beacon flags -- wake always establishes a session.
  Warns if only TCP or only UDP transport specified.
- triggers: indexed list of all trigger-enabled implant builds
- triggers target: associate deployment IP with a trigger index
- trigger send: send signed UDP packets to implants by index or IP.
  Auto-populates port/secret/target from stored config.
  --comms flag selects wake transport (mtls/wg).
  --output/-o exports exec results to file.
- trigger dispatch: server-side task dispatch on running trigger
  listener jobs
- secretinput: three-tier secret resolution (env var, direct value
  with ps-visibility warning, stdin prompt). Template injection
  validation for secrets embedded in implant binaries.
- Trigger C2.md: complete feature documentation covering architecture
  (ad-hoc exec + wake session), quickstart, intent kinds, command
  reference, configuration flags, implant-side intents, TTL deadman
  switch (runtime + server-side reaper), security model, wire protocol
- .gitignore: resolved merge conflict markers, added editor swap
  file patterns
Remove files that were used during local development and are
not part of the trigger C2 feature.
@0x90pkt
0x90pkt requested a review from a team as a code owner June 2, 2026 03:58
@0x90pkt
0x90pkt requested a review from brandonkovacs June 2, 2026 03:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature: Trigger C2 — authenticated UDP wake + ad-hoc exec for dormant implants

1 participant