Payload Delivery Overview#

InfraGuard can serve payloads from multiple backends, each wrapped in a full guard stack. Payload routes are defined under content_routes in the domain config.

Architecture#

Incoming request → Pipeline filters → Guard stack → Backend → Response
                                            │
                                            └── Failed guard → drop_action / decoy

Payload routes sit after the main pipeline. A request that passes the domain-level pipeline then hits the route-level guard stack before the backend is accessed.

Backends#

Backend type	Use case
`mythic_file`	Serve specific or dynamic files from Mythic’s file store
`pwndrop`	Serve files from a PwnDrop staging server
`filesystem`	Serve files from local disk / Docker volume
`http_proxy`	Proxy to any HTTP server (RedFile, nginx, custom)

Route Schema#

content_routes:
  - path: "/jquery-3.7.1.min.js"    # exact path or glob (/* suffix)
    backend:
      type: "mythic_file"
      target: "https://${MYTHIC_IP}:7443"
      file_id: "${MYTHIC_STAGE2_FILE_ID}"
      ssl_verify: false
      headers:
        Content-Disposition: "attachment; filename=\"update.bin\""

    guard:
      require_beacon_ip: true
      allowed_user_agents:
        - "^Mozilla/5\\.0 \\(Windows NT"
        - "WinHTTP"
        - "Microsoft-CryptoAPI"
      required_headers:
        X-Requested-With: "XMLHttpRequest"
      forbidden_headers:
        - "Via"
        - "X-Forwarded-For"
        - "CF-Worker"

    require_token: true              # one-time token required

    rate_limit:
      enabled: true
      max_downloads: 1
      window_seconds: 3600

    conditional:                     # decoy backend for non-matching visitors
      score_threshold: 0.5
      scanner_backend:
        type: "http_proxy"
        target: "https://jquery.com/jquery-3.7.1.min.js"

    track: true                      # record to tracking DB

Guard Stack#

Each route has an independent guard stack applied after the domain pipeline:

Guard	Config key	Effect
Beacon IP check	`require_beacon_ip: true`	Only IPs in the dynamic whitelist can download
User-Agent filter	`allowed_user_agents: [...]`	Regex list; non-matching UAs blocked
Required headers	`required_headers: {Header: Value}`	All listed headers must match
Forbidden headers	`forbidden_headers: [...]`	Any listed header present = blocked
One-time token	`require_token: true`	Token must be present and unconsumed
Rate limiting	`rate_limit: ...`	Max downloads per IP per window

Conditional (Decoy) Backend#

When conditional.scanner_backend is set, requests that fail the guard serve content from the decoy backend instead of returning an error. Analysts get real content (e.g. the real jQuery file) while beacons get the payload — no behavioral difference visible from the outside.

See Backends and Tokens for full details.