Volltext-Downloads (blau) und Frontdoor-Views (grau)

Enhancing Command & Control Capabilities: Integrating Cobalt Strike's Plugin System into a Mythic-based Beacon Developed at cirosec

  • Command & Control (C2) frameworks are a popular tool for bad actors to attack and infiltrate infrastructures and systems. They allow long-lasting inroads to be made into the infrastructure, through which attackers can interact with it through covert channels. These frameworks thus also play a crucial role in cybersecurity, enabling red teams and penetration testers to simulate those real-worldCommand & Control (C2) frameworks are a popular tool for bad actors to attack and infiltrate infrastructures and systems. They allow long-lasting inroads to be made into the infrastructure, through which attackers can interact with it through covert channels. These frameworks thus also play a crucial role in cybersecurity, enabling red teams and penetration testers to simulate those real-world adversary tactics. Cobalt Strike, a widely used proprietary C2 framework, offers an extensible plugin system through Beacon Object Files (BOFs). Mythic, an open-source alternative, provides a modular architecture but lacks native BOF compatibility. This thesis explores the feasibility of integrating Cobalt Strike’s BOF capabilities into a Mythic-based beacon developed at cirosec. The research begins by analyzing the structural and functional differences between Cobalt Strike and Mythic, focusing on their plugin systems and execution environments. It then examines the technical details of BOF execution, including Dynamic Function Resolution (DFR), memory management, and interactions with the beacon Application Programming Interface (API). The core contributions of this work are the design and implementation of a generic BOF runtime and the implementation of it within the Mythic-based beacon “ciroStrike” developed by cirosec. By adapting BOF execution mechanisms and ensuring compatibility with Mythic’s architecture, this integration enhances the beacon’s flexibility while maintaining its compact and evasive nature. Furthermore, an analysis of publicly available BOF implementations evaluates their applicability to this approach. The results demonstrate that BOFs can be successfully executed within Mythic with minimal modifications, bridging the gap between proprietary and open-source C2 frameworks. This research contributes to the evolution of offensive security tooling by expanding the interoperability of red team frameworks and improving the adaptability of C2 beacons.show moreshow less

Download full text files

Export metadata

Statistics

frontdoor_oas
Metadaten
Document Type:Master's Thesis
Zitierlink: https://opus.hs-offenburg.de/10531
Bibliografische Angaben
Title (English):Enhancing Command & Control Capabilities: Integrating Cobalt Strike's Plugin System into a Mythic-based Beacon Developed at cirosec
Author:Leon SchmidtORCiDGND
Advisor:Daniel Hammer, Michael Brügge
Year of Publication:2025
Publishing Institution:Hochschule Offenburg
Granting Institution:Hochschule Offenburg
Contributing Corporation:cirosec GmbH
Place of publication:Offenburg
Publisher:Hochschule Offenburg
Page Number:X, 132
URN:https://urn:nbn:de:bsz:ofb1-opus4-105311
Language:English
Inhaltliche Informationen
Institutes:Fakultät Elektrotechnik, Medizintechnik und Informatik (EMI) (ab 04/2019)
Collections of the Offenburg University:Abschlussarbeiten / Master-Studiengänge / INFM
DDC classes:000 Allgemeines, Informatik, Informationswissenschaft / 000 Allgemeines, Wissenschaft / 004 Informatik
Tag:Computersicherheit
Beacon Object Files; C++; Cobalt Strike; Command and Control; Common Object File Format; Malware; Mythic; Red Teaming
Formale Angaben
Open Access: Open Access 
 Diamond 
Licence (German):License LogoUrheberrechtlich geschützt