Summary
Adds a Trigger C2 feature — an authenticated, signed-UDP task dispatcher enabling
two operational modes for dormant implants:
- Ad-hoc exec — bidirectional UDP command execution. Operator sends a signed
packet with a command; implant executes it and returns output over UDP. No C2
session required.
- Wake session — operator fires a signed wake packet (with optional transport
hint for mTLS or WireGuard); implant establishes an interactive session.
Trigger implants sit completely silent — zero network traffic — until explicitly
woken. The protocol uses HMAC-SHA256 authentication, replay protection, nonce
correlation, and per-client allowlisting.
Motivation
Current Sliver implants either beacon on a schedule or maintain a persistent
session. Both produce periodic or constant network traffic that can be detected.
For long-dwell operations where the implant should remain inert until the operator
explicitly needs it, there's no built-in option.
Trigger C2 fills this gap: a dormant implant with a passive UDP listener that
only activates on receipt of an authenticated packet. The operator controls
exactly when the implant phones home, and can run one-off commands (file listings,
recon) without ever establishing a full C2 session.
Key components
| Layer |
What's added |
| Client |
generate trigger subcommand, triggers (indexed list + target tracking), trigger send (by index or IP, with --comms transport |
selection and --output file export), trigger dispatch (server-side task dispatch), secretinput package (three-tier secret resolution: env var → |
|
| stdin prompt → direct value) |
|
| Server |
Trigger listener (UDP, HMAC, replay cache, rate limiter, audit sink), handler registry (wake-session, stop-job, exec, reverse-shell), |
| TriggerActivity tracking, TTL reaper (server-side fallback), daemon restore for listener persistence |
|
| Implant |
Passive UDP listener (triggerwake package), wake loop (session kill returns to dormant — re-wakeable indefinitely), bidirectional |
| exec with concurrency semaphore (cap=3), transport preference on wake, runtime TTL watchdog with activity-based reset |
|
| Proto |
TriggerListenerReq/Job, TriggerFireReq/Resp, TriggerDispatchTaskReq, TriggerIntentBinding, ImplantConfig trigger/TTL fields, 4 gRPC |
| methods |
|
| Docs |
Trigger C2.md — architecture, quickstart, intent kinds, command reference, security model, wire protocol |
Design decisions
- No beacon mode for trigger implants. Wake always establishes an interactive session. Beacon flags are not available on
generate trigger.
- Session kill = return to dormant.
sessions -k does NOT kill the process. The implant gracefully closes the session and re-enters the
wake-wait loop.
- TTL is runtime, not build-time. The countdown starts when the implant process starts, not when the binary is built. Every authenticated trigger
packet resets the countdown. An actively-used implant never self-destructs from TTL. Server-side reaper provides defense-in-depth.
- Two-layer auth. HMAC-SHA256 with constant-time comparison + per-client ID allowlist + replay nonce cache + timestamp skew validation.
- Wire protocol library. The core protocol is a standalone library at
github.com/0x90pkt/trigger with locked wire-compat regression vectors.
Sliver imports it as a vendored dependency.
- Implant footprint. Only the protocol package is vendored into the implant (not the full listener). The intent set is fixed at build time — no
runtime dispatch surface.
Testing
- 46+ unit tests across triggerwake, secretinput, generate flags, handler implementations, DB model round-trips
- Manual test plan covering: generate, deploy, dormant verification, ad-hoc exec, wake session with transport selection, session kill + re-wake
cycle, self-destruct, TTL expiry + activity reset, auth failures
Implementation
Branch: feature/trigger-implant on my fork.
7 commits organized per contribution guidelines:
vendor: — trigger protocol library (separate from code)
proto: — protobuf schema + generated code
feat(server): — DB models, listener, handlers, RPC, TTL reaper
feat(implant): — triggerwake transport, wake loop, TTL, kill handler
feat(client): — generate trigger, triggers list, trigger send, secretinput
docs: — Trigger C2.md + .gitignore
chore: — remove dev artifacts
All commits GPG-signed. Happy to break into smaller PRs or adjust the approach based on maintainer feedback.
Summary
Adds a Trigger C2 feature — an authenticated, signed-UDP task dispatcher enabling
two operational modes for dormant implants:
packet with a command; implant executes it and returns output over UDP. No C2
session required.
hint for mTLS or WireGuard); implant establishes an interactive session.
Trigger implants sit completely silent — zero network traffic — until explicitly
woken. The protocol uses HMAC-SHA256 authentication, replay protection, nonce
correlation, and per-client allowlisting.
Motivation
Current Sliver implants either beacon on a schedule or maintain a persistent
session. Both produce periodic or constant network traffic that can be detected.
For long-dwell operations where the implant should remain inert until the operator
explicitly needs it, there's no built-in option.
Trigger C2 fills this gap: a dormant implant with a passive UDP listener that
only activates on receipt of an authenticated packet. The operator controls
exactly when the implant phones home, and can run one-off commands (file listings,
recon) without ever establishing a full C2 session.
Key components
generate triggersubcommand,triggers(indexed list + target tracking),trigger send(by index or IP, with--commstransport--outputfile export),trigger dispatch(server-side task dispatch),secretinputpackage (three-tier secret resolution: env var →triggerwakepackage), wake loop (session kill returns to dormant — re-wakeable indefinitely), bidirectionalDesign decisions
generate trigger.sessions -kdoes NOT kill the process. The implant gracefully closes the session and re-enters thewake-wait loop.
packet resets the countdown. An actively-used implant never self-destructs from TTL. Server-side reaper provides defense-in-depth.
github.com/0x90pkt/triggerwith locked wire-compat regression vectors.Sliver imports it as a vendored dependency.
runtime dispatch surface.
Testing
cycle, self-destruct, TTL expiry + activity reset, auth failures
Implementation
Branch:
feature/trigger-implanton my fork.7 commits organized per contribution guidelines:
vendor:— trigger protocol library (separate from code)proto:— protobuf schema + generated codefeat(server):— DB models, listener, handlers, RPC, TTL reaperfeat(implant):— triggerwake transport, wake loop, TTL, kill handlerfeat(client):— generate trigger, triggers list, trigger send, secretinputdocs:— Trigger C2.md + .gitignorechore:— remove dev artifactsAll commits GPG-signed. Happy to break into smaller PRs or adjust the approach based on maintainer feedback.