Enhancing Command & Control Capabilities: Integrating Cobalt Strike’s Plugin System into a Mythic-based Beacon Developed at cirosec
Master's Thesis
Entstehung
Dies ist meine Abschlussarbeit für den Master of Sience (M.Sc.) im Fach Informatik an der Hochschule Offenburg. Betreut wurde ich von Michael Brügge, Leitender Berater bei der cirosec GmbH – seitens der Hochschule von Prof. Dr. Daniel Hammer.
Die Abschlussarbeit wurde in Englischer Sprache verfasst.
Abstract
Command & Control (C2) frameworks are a popular tool for bad actors to attack and infiltrate infrastructures and systems. They allow long-lasting inroads to be made into the infrastructure, through which attackers can interact with it through covert channels. These frameworks thus also play a crucial role in cybersecurity, enabling red teams and penetration testers to simulate those real-world adversary tactics. Cobalt Strike, a widely used proprietary C2 framework, offers an extensible plugin system through Beacon Object Files (BOFs). Mythic, an open-source alternative, provides a modular architecture but lacks native BOF compatibility.
This thesis explores the feasibility of integrating Cobalt Strike’s BOF capabilities into a Mythic-based beacon developed at cirosec. The research begins by analyzing the structural and functional differences between Cobalt Strike and Mythic, focusing on their plugin systems and execution environments. It then examines the technical details of BOF execution, including Dynamic Function Resolution (DFR), memory management, and interactions with the beacon Application Programming Interface (API).
The core contributions of this work are the design and implementation of a generic BOF runtime and the implementation of it within the Mythic-based beacon “ciroStrike” developed by cirosec. By adapting BOF execution mechanisms and ensuring compatibility with Mythic’s architecture, this integration enhances the beacon’s flexibility while maintaining its compact and evasive nature. Furthermore, an analysis of publicly available BOF implementations evaluates their applicability to this approach.
The results demonstrate that BOFs can be successfully executed within Mythic with minimal modifications, bridging the gap between proprietary and open-source C2 frameworks. This research contributes to the evolution of offensive security tooling by expanding the interoperability of red team frameworks and improving the adaptability of C2 beacons.