PoshC2#

InfraGuard parses PoshC2’s YAML configuration file to extract GET/POST request patterns and User-Agent.

Config#

domains:
  office.example.com:
    upstream: "${POSHC2_UPSTREAM}"
    profile_path: "profiles/poshc2-config.yaml"
    profile_type: "poshc2"

    drop_action:
      type: "redirect"
      target: "https://office.com"

See config/examples/c2-poshc2.yaml.

Config YAML Format#

InfraGuard reads the PoshC2 config.yaml file. Fields extracted:

• GET_Requests — list of GET URI patterns
• POST_Requests — list of POST URI patterns
• UserAgent — expected User-Agent string
• DefaultSleep — not used for filtering, logged only

Recommended Pipeline Settings#

pipeline:
  filter_mode: "scoring"
  block_score_threshold: 0.65
  enable_profile_filter: true
  enable_bot_filter: true
  enable_sandbox_filter: true