Quickstart#

Five-minute path from zero to a working Cobalt Strike redirector.

1. Pick an Example Config#

cp config/examples/c2-cobalt-strike.yaml config/config.yaml

All example configs live in config/examples/. See Frameworks for the full list.

2. Set Required Env Vars#

export INFRAGUARD_TLS_CERT=/path/to/cert.pem
export INFRAGUARD_TLS_KEY=/path/to/key.pem
export INFRAGUARD_DB_PATH=/tmp/infraguard.db
export CS_UPSTREAM=https://10.10.10.10:443

3. Point Your C2 Profile#

Edit config/config.yaml and set profile_path to your Malleable C2 profile:

domains:
  cdn.example.com:
    upstream: "${CS_UPSTREAM}"
    profile_path: "profiles/my-campaign.profile"
    profile_type: "cobalt_strike"

4. Start InfraGuard#

# Docker
docker compose up -d

# Direct
infraguard run --config config/config.yaml

5. Verify#

# Health check
curl -k https://localhost/up

# Check logs
docker compose logs -f infraguard

# View request log
infraguard api requests --config config/config.yaml

What Happens on a Request#

Incoming HTTPS request
        │
        ▼
TLS termination (InfraGuard cert)
        │
        ▼
Pipeline filters (IP → bot → geo → DNS → profile → sandbox → JA3 → replay → enumeration)
        │
        ├── score ≥ threshold ──► drop_action (redirect / serve decoy / 404)
        │
        └── score < threshold ──► proxy to upstream C2 / phishing backend

Requests that pass all filters are silently proxied. Requests that fail score above block_score_threshold trigger the configured drop_action.

Next Steps#

• Configuration reference — tune filters and scoring
• Intel & burn detection — CT log monitoring, reputation feeds
• Payload delivery — serve stage-2 payloads with one-time tokens
• Plugins — Discord/Slack alerting