Registration

Registration is defined as the first time an agent connects to a server to authenticate. Each connection is given a token that runs on a time limit. If an operator hasn't administered a request for a period of time, the token will expire, resulting in a 401 response, and the agent will need to re-authenticate. Your agent must be capable of re-registering with the server, otherwise you will have to restart the binary itself.

Your implant should be able to handle several possible scenarios:

• Server goes offline unexpectedly (connection-refused) - the implant should attempt to reconnect until it is able to establish a session again

• The session expires (401) - the implant should authenticate at the registration endpoint once again.

• The compromised machine restarts - assuming a persistence mechanism is already in place, the implant should know to re-register to the server.

Here is a simple logic example from an early version of 'Empress', Monarch's first implant integration written in Go.

// c is our c2 client
resp, err := c.HttpClient.Do(req)
if err != nil {
	return Registration(), err
}
if resp.StatusCode != http.StatusOK {
	// probably unauthorised, must re-register.
	// Registration() returns a registration object
	reg := Registration()
	return reg, nil
}

The server integration page goes into more detail about how registration and polling objects are structured.