CLI Reference#

InfraGuard ships a Click-based CLI. All commands accept -c / --config <path> to specify the config file.

Top-Level Commands#

infraguard --help
infraguard --version

infraguard run         Start the redirector
infraguard config      Config management subcommands
infraguard token       Token management subcommands
infraguard api         Query the management API
infraguard profile     C2 profile utilities

`infraguard run`#

Start the redirector.

infraguard run --config config/config.yaml
infraguard run -c config/config.yaml --log-level DEBUG

Flag	Default	Description
`-c / --config`	`config.yaml`	Path to config file
`--log-level`	`INFO`	Logging level (DEBUG, INFO, WARNING, ERROR)
`--reload`	off	Enable hot reload on config file change

`infraguard config`#

Config management. All mutating commands write a .bak backup before modifying.

`config show`#

infraguard config show -c config.yaml
infraguard config show -c config.yaml --section pipeline
infraguard config show -c config.yaml --section domains

`config set`#

Set an arbitrary config value by dotted path:

infraguard config set pipeline.block_score_threshold 0.65 -c config.yaml
infraguard config set logging.level DEBUG -c config.yaml

`infraguard config domain`#

Domain management subcommands.

infraguard config domain list -c config.yaml
infraguard config domain add phish.example.com -c config.yaml
infraguard config domain remove phish.example.com -c config.yaml
infraguard config domain set-upstream cdn.example.com https://10.0.0.1:443 -c config.yaml
infraguard config domain set-drop cdn.example.com redirect https://jquery.com -c config.yaml

`domain add-route`#

Add a content route to a domain:

infraguard config domain add-route cdn.example.com \
  --path "/assets/update.js" \
  --backend-type mythic_file \
  --backend-target "https://10.0.0.1:7443" \
  --file-id "${MYTHIC_STAGE2_FILE_ID}" \
  --require-beacon-ip \
  --require-token \
  --rate-limit 1 3600 \
  -c config.yaml

`domain remove-route`#

infraguard config domain remove-route cdn.example.com "/assets/update.js" -c config.yaml

`domain list-routes`#

infraguard config domain list-routes cdn.example.com -c config.yaml

`infraguard config intel`#

Intel and blocklist management.

# Show current intel config
infraguard config intel show -c config.yaml

# Country blocking
infraguard config intel block-country RU -c config.yaml
infraguard config intel unblock-country RU -c config.yaml
infraguard config intel allow-country US -c config.yaml        # explicit allowlist
infraguard config intel unallow-country US -c config.yaml

# ASN blocking
infraguard config intel block-asn 15169 -c config.yaml         # Google
infraguard config intel unblock-asn 15169 -c config.yaml

# IP blocking
infraguard config intel block-ip 1.2.3.4 -c config.yaml

`infraguard config pipeline`#

Pipeline filter management.

# Show pipeline config
infraguard config pipeline show -c config.yaml

# Enable/disable filters
infraguard config pipeline enable sandbox_filter -c config.yaml
infraguard config pipeline disable replay_filter -c config.yaml

# Set score threshold
infraguard config pipeline set-threshold 0.65 -c config.yaml

# JA3 management
infraguard config pipeline ja3 block e7d705a3286e19ea42f587b344ee6865 -c config.yaml
infraguard config pipeline ja3 unblock e7d705a3286e19ea42f587b344ee6865 -c config.yaml
infraguard config pipeline ja3 allow b386946a5a44d1ddcc843bc75336dfce -c config.yaml  # add to allowlist
infraguard config pipeline ja3 list -c config.yaml

`infraguard token`#

Payload token management.

# List all issued tokens
infraguard token list -c config.yaml

# Revoke a token
infraguard token revoke <token-hex> -c config.yaml

# Manually issue a token for an IP
infraguard token issue 10.0.0.5 -c config.yaml

# Generate an HMAC campaign token
infraguard token generate --secret $HMAC_SECRET --ttl 604800

`infraguard api`#

Query the management API (must be running).

# Request log
infraguard api requests -c config.yaml
infraguard api requests --limit 50 --domain cdn.example.com -c config.yaml
infraguard api requests --blocked-only -c config.yaml

# Whitelist
infraguard api whitelist -c config.yaml
infraguard api whitelist add 10.0.0.5 -c config.yaml
infraguard api whitelist remove 10.0.0.5 -c config.yaml

# Blocklist
infraguard api blocklist -c config.yaml
infraguard api blocklist add 1.2.3.4 -c config.yaml

# Burn indicators
infraguard api burns -c config.yaml

`infraguard profile`#

C2 profile utilities.

# Parse and show normalized profile
infraguard profile parse --type cobalt_strike profiles/my.profile
infraguard profile parse --type mythic profiles/mythic-httpx.json
infraguard profile parse --type nighthawk profiles/nighthawk.json
infraguard profile parse --type poshc2 profiles/config.yaml

# Validate profile against a sample request
infraguard profile validate --type cobalt_strike profiles/my.profile \
  --method GET --path "/jquery-3.7.1.min.js" \
  --header "X-Requested-With: XMLHttpRequest"

CLI Reference#

Top-Level Commands#

infraguard run#

infraguard config#

config show#

config set#

infraguard config domain#

domain add-route#

domain remove-route#

domain list-routes#

infraguard config intel#

infraguard config pipeline#

infraguard token#

infraguard api#

infraguard profile#