Enhancing Command & Control Capabilities: Integrating Cobalt Strike's Plugin System into a Mythic-based Beacon Developed at cirosec
- Command & Control (C2) frameworks are a popular tool for bad actors to attack and infiltrate infrastructures and systems. They allow long-lasting inroads to be made into the infrastructure, through which attackers can interact with it through covert channels. These frameworks thus also play a crucial role in cybersecurity, enabling red teams and penetration testers to simulate those real-worldCommand & Control (C2) frameworks are a popular tool for bad actors to attack and infiltrate infrastructures and systems. They allow long-lasting inroads to be made into the infrastructure, through which attackers can interact with it through covert channels. These frameworks thus also play a crucial role in cybersecurity, enabling red teams and penetration testers to simulate those real-world adversary tactics. Cobalt Strike, a widely used proprietary C2 framework, offers an extensible plugin system through Beacon Object Files (BOFs). Mythic, an open-source alternative, provides a modular architecture but lacks native BOF compatibility.
This thesis explores the feasibility of integrating Cobalt Strike’s BOF capabilities into a Mythic-based beacon developed at cirosec. The research begins by analyzing the structural and functional differences between Cobalt Strike and Mythic, focusing on their plugin systems and execution environments. It then examines the technical details of BOF execution, including Dynamic Function Resolution (DFR), memory management, and interactions with the beacon Application Programming Interface (API).
The core contributions of this work are the design and implementation of a generic BOF runtime and the implementation of it within the Mythic-based beacon “ciroStrike” developed by cirosec. By adapting BOF execution mechanisms and ensuring compatibility with Mythic’s architecture, this integration enhances the beacon’s flexibility while maintaining its compact and evasive nature. Furthermore, an analysis of publicly available BOF implementations evaluates their applicability to this approach.
The results demonstrate that BOFs can be successfully executed within Mythic with minimal modifications, bridging the gap between proprietary and open-source C2 frameworks. This research contributes to the evolution of offensive security tooling by expanding the interoperability of red team frameworks and improving the adaptability of C2 beacons.…
Document Type: | Master's Thesis |
---|---|
Zitierlink: | https://opus.hs-offenburg.de/10531 | Bibliografische Angaben |
Title (English): | Enhancing Command & Control Capabilities: Integrating Cobalt Strike's Plugin System into a Mythic-based Beacon Developed at cirosec |
Author: | Leon SchmidtORCiDGND |
Advisor: | Daniel Hammer, Michael Brügge |
Year of Publication: | 2025 |
Publishing Institution: | Hochschule Offenburg |
Granting Institution: | Hochschule Offenburg |
Contributing Corporation: | cirosec GmbH |
Place of publication: | Offenburg |
Publisher: | Hochschule Offenburg |
Page Number: | X, 132 |
URN: | https://urn:nbn:de:bsz:ofb1-opus4-105311 |
Language: | English | Inhaltliche Informationen |
Institutes: | Fakultät Elektrotechnik, Medizintechnik und Informatik (EMI) (ab 04/2019) |
Collections of the Offenburg University: | Abschlussarbeiten / Master-Studiengänge / INFM |
DDC classes: | 000 Allgemeines, Informatik, Informationswissenschaft / 000 Allgemeines, Wissenschaft / 004 Informatik |
Tag: | Computersicherheit Beacon Object Files; C++; Cobalt Strike; Command and Control; Common Object File Format; Malware; Mythic; Red Teaming | Formale Angaben |
Open Access: | Open Access |
Diamond | |
Licence (German): | ![]() |