Skip to content

Feature: Trigger C2 — authenticated UDP wake + ad-hoc exec for dormant implants #2269

Description

@0x90pkt

Summary

Adds a Trigger C2 feature — an authenticated, signed-UDP task dispatcher enabling
two operational modes for dormant implants:

  1. Ad-hoc exec — bidirectional UDP command execution. Operator sends a signed
    packet with a command; implant executes it and returns output over UDP. No C2
    session required.
  2. Wake session — operator fires a signed wake packet (with optional transport
    hint for mTLS or WireGuard); implant establishes an interactive session.

Trigger implants sit completely silent — zero network traffic — until explicitly
woken. The protocol uses HMAC-SHA256 authentication, replay protection, nonce
correlation, and per-client allowlisting.

Motivation

Current Sliver implants either beacon on a schedule or maintain a persistent
session. Both produce periodic or constant network traffic that can be detected.
For long-dwell operations where the implant should remain inert until the operator
explicitly needs it, there's no built-in option.

Trigger C2 fills this gap: a dormant implant with a passive UDP listener that
only activates on receipt of an authenticated packet. The operator controls
exactly when the implant phones home, and can run one-off commands (file listings,
recon) without ever establishing a full C2 session.

Key components

Layer What's added
Client generate trigger subcommand, triggers (indexed list + target tracking), trigger send (by index or IP, with --comms transport
selection and --output file export), trigger dispatch (server-side task dispatch), secretinput package (three-tier secret resolution: env var →
stdin prompt → direct value)
Server Trigger listener (UDP, HMAC, replay cache, rate limiter, audit sink), handler registry (wake-session, stop-job, exec, reverse-shell),
TriggerActivity tracking, TTL reaper (server-side fallback), daemon restore for listener persistence
Implant Passive UDP listener (triggerwake package), wake loop (session kill returns to dormant — re-wakeable indefinitely), bidirectional
exec with concurrency semaphore (cap=3), transport preference on wake, runtime TTL watchdog with activity-based reset
Proto TriggerListenerReq/Job, TriggerFireReq/Resp, TriggerDispatchTaskReq, TriggerIntentBinding, ImplantConfig trigger/TTL fields, 4 gRPC
methods
Docs Trigger C2.md — architecture, quickstart, intent kinds, command reference, security model, wire protocol

Design decisions

  • No beacon mode for trigger implants. Wake always establishes an interactive session. Beacon flags are not available on generate trigger.
  • Session kill = return to dormant. sessions -k does NOT kill the process. The implant gracefully closes the session and re-enters the
    wake-wait loop.
  • TTL is runtime, not build-time. The countdown starts when the implant process starts, not when the binary is built. Every authenticated trigger
    packet resets the countdown. An actively-used implant never self-destructs from TTL. Server-side reaper provides defense-in-depth.
  • Two-layer auth. HMAC-SHA256 with constant-time comparison + per-client ID allowlist + replay nonce cache + timestamp skew validation.
  • Wire protocol library. The core protocol is a standalone library at github.com/0x90pkt/trigger with locked wire-compat regression vectors.
    Sliver imports it as a vendored dependency.
  • Implant footprint. Only the protocol package is vendored into the implant (not the full listener). The intent set is fixed at build time — no
    runtime dispatch surface.

Testing

  • 46+ unit tests across triggerwake, secretinput, generate flags, handler implementations, DB model round-trips
  • Manual test plan covering: generate, deploy, dormant verification, ad-hoc exec, wake session with transport selection, session kill + re-wake
    cycle, self-destruct, TTL expiry + activity reset, auth failures

Implementation

Branch: feature/trigger-implant on my fork.

7 commits organized per contribution guidelines:

  1. vendor: — trigger protocol library (separate from code)
  2. proto: — protobuf schema + generated code
  3. feat(server): — DB models, listener, handlers, RPC, TTL reaper
  4. feat(implant): — triggerwake transport, wake loop, TTL, kill handler
  5. feat(client): — generate trigger, triggers list, trigger send, secretinput
  6. docs: — Trigger C2.md + .gitignore
  7. chore: — remove dev artifacts

All commits GPG-signed. Happy to break into smaller PRs or adjust the approach based on maintainer feedback.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions