pentest-c2-operator
npx machina-cli add skill 0x-Professor/Agent-Skills-Hub/pentest-c2-operator --openclawFiles (1)
SKILL.md
1.3 KB
Pentest C2 Operator
Stage
- PTES: 5-6
- MITRE: TA0011
Objective
Track infrastructure, persistence, and alerting outcomes from C2 simulation.
Required Workflow
- Validate scope before any active action and reject out-of-scope targets.
- Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
- Write findings in canonical finding_schema format with reproducible PoC notes.
- Honor dry-run mode and require explicit --i-have-authorization for live execution.
- Export deterministic artifacts for downstream skill consumption.
Execution
python skills/pentest-c2-operator/scripts/c2_operator.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
Outputs
c2-infrastructure.jsonpersistence-mechanisms.jsonc2-report.json
References
references/tools.mdskills/autonomous-pentester/shared/scope_schema.jsonskills/autonomous-pentester/shared/finding_schema.json
Legal and Ethical Notice
WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.
Source
git clone https://github.com/0x-Professor/Agent-Skills-Hub/blob/main/skills/pentest-c2-operator/SKILL.mdView on GitHub Overview
Pentest C2 Operator enables authorized C2 simulation workflows and measures defensive detection outcomes. It tracks infrastructure, persistence, and alerting results to gauge coverage within approved scope.
How This Skill Works
The skill validates the defined scope, runs checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK, and writes findings in a canonical finding_schema format with reproducible PoC notes. It outputs deterministic artifacts (c2-infrastructure.json, persistence-mechanisms.json, c2-report.json) and supports a dry-run mode, requiring explicit --i-have-authorization for live actions.
When to Use It
- Before launching a sanctioned C2 simulation within a defined scope to measure detection and response.
- To validate SOC telemetry, SIEM/EDR coverage, and alerting for C2 activity across infrastructure and persistence mechanisms.
- When producing reproducible PoC notes and canonical findings for audits and reporting.
- During test planning to verify scope and authorization via a dry-run before any live actions.
- When exporting deterministic artifacts for downstream teams and incident response playbooks.
Quick Start
- Step 1: Review and confirm the scope (scope.json) with all stakeholders.
- Step 2: Run the tool in dry-run or with explicit authorization: python skills/pentest-c2-operator/scripts/c2_operator.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
- Step 3: Inspect outputs (c2-infrastructure.json, persistence-mechanisms.json, c2-report.json) and PoC notes for reproducibility.
Best Practices
- Always validate scope and obtain written authorization before any action.
- Run checks in alignment with PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
- Use dry-run mode first; require explicit --i-have-authorization for live execution.
- Document findings in canonical finding_schema format with reproducible PoC notes.
- Export deterministic artifacts (e.g., c2-infrastructure.json, persistence-mechanisms.json, c2-report.json) for downstream consumption.
Example Use Cases
- Enterprise pentest simulates C2 beacons within approved scope to measure detection coverage and logs results in c2-report.json.
- SOC engineers validate telemetry and alert rules against C2 activity using the generated persistence-mechanisms.json.
- Compliance audit produces a complete artifact set (c2-infrastructure.json, persistence-mechanisms.json, c2-report.json) for review.
- Security team runs a dry-run to confirm scope and authorization before a live test.
- Downstream teams ingest c2-infrastructure.json and c2-report.json to update incident response playbooks.
Frequently Asked Questions
Add this skill to your agents
