Skip to content

User-Defined C2 (UDC2)

The UDC2 listener supports custom transport plugins -- typically BOF-based transport handlers running on operator infrastructure. UDC2 enables entirely custom communication channels (proprietary protocols, exotic transports) while using Stentor's relay for beacon management and task routing.

Configuration

Field Type Required Default Description
name string Yes -- Display name
type string Yes -- Must be "udc2"
relay_id UUID Yes -- Relay hosting the listener
port int Yes -- TCP port for transport plugin connections

Create a UDC2 Listener

curl -s -X POST https://stentor.app/api/v1/listeners \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Custom Transport",
    "type": "udc2",
    "port": 3333,
    "relay_id": "RELAY_UUID"
  }'

Protocol

UDC2 uses the same 4-byte little-endian length-prefixed frame format as External C2:

[length (4 bytes LE)] [frame data (N bytes)]

Session Flow

  1. Transport plugin connects to the UDC2 TCP port
  2. First frame: Beacon metadata JSON: 
    {"hostname": "WORKSTATION01", "username": "CORP\\jsmith", "ip": "10.10.10.20", "arch": "x64"}
  3. Relay responds with beacon registration: 
    {"beacon_id": "a1b2c3d4-..."}
  4. Bidirectional proxy: Task frames from relay, output frames from transport plugin

Use Cases

  • Exotic transports: Route C2 traffic over protocols Stentor doesn't natively support (e.g., MQTT, WebRTC, steganography)
  • BOF transport handlers: Implement custom transport logic in a BOF that bridges to the UDC2 TCP interface
  • Air-gapped networks: Build a custom relay mechanism that bridges isolated networks to the Stentor relay
  • Protocol research: Prototype new C2 transport protocols without modifying the relay codebase

UDC2 vs External C2

  • External C2 is designed for integrating third-party C2 frameworks (Metasploit, Sliver) with their own agent format
  • UDC2 is designed for custom transport plugins that carry Stentor beacon traffic over non-standard channels

OPSEC Considerations

  • The UDC2 port should only be accessible from your transport plugin infrastructure
  • The transport plugin is responsible for its own encryption and OPSEC on the wire
  • The TCP connection between the plugin and relay should be tunneled through SSH or VPN