2. Open Adversary Simulation Toolkit
We follow DIY (do-it-yourself) philosophy when preparing C2 solution for a given mission objectives. Therefore we provide an open and flexible architectural solution together with reusable building blocks that can be quickly tailored to a given scenario.
z-beac0n is an example of software implant written with bof-launcher library, conceptually it looks like this:
Software implants based on bof-launcher library are characterized by open and very flexible architecture that allows one for practically endless possibilities when building his implant. This is especially important during various adversary simulations engagements because:
- allows to precisely simulate given adversary: his tools and behavior,
- provides "species variety" which is a big advantage while evading detection measures.
That being said the z-beac0n implant is comprised of only two small components:
-
BOF 0an initial BOF file that will be launched right after implant starts. Provided z-beac0n core BOF is a reference implementation ofBOF zero; - statically compiled bof-launcher library;
Every additional capability that is required is provided by additional BOFs that are managed by the BOF0 using bof-launcher API. Our BOF collection already contains number of high quality, ready to use BOFs.
By default z-beac0n implant is compiled to stageless form:
It's components are available in example/implant directory:
- shellcode.zig - initial code that will run and load additional parts of the implant,
- main.zig - ELF executable that will be loaded by the shellcode,
-
z-beac0n core BOF -
BOF 0that will orchestrate implant's operations.
Build artifacts will be available in zig-out/bin/ directory:
# ELF executable
z-beac0n_lin_x64
# PIC shellcode
z-beac0n_lin_x64.bin
It is possible to build the implant to a staged form, as conceptually shown below:
