Refine
Document Type
- Bachelor Thesis (1)
- Master's Thesis (1)
Language
- English (2)
Has Fulltext
- yes (2)
Is part of the Bibliography
- no (2)
Keywords
- Computersicherheit (2)
- API (1)
- Beacon Object Files (1)
- C++ (1)
- CSAF (1)
- Cobalt Strike (1)
- Command and Control (1)
- Common Object File Format (1)
- Go <Programmiersprache> (1)
- Golang (1)
Institute
Open Access
- Diamond (2)
- Open Access (2)
This work addresses the conceptualization, design, and implementation of an Application Programming Interface (API) for the Common Security Advisory Framework (CSAF) 2.0, introducing another method for distributing CSAF documents in addition to two already existing methods. These don't allow the use of flexible queries as well as filtering, which makes it difficult for operators of software and hardware to use CSAF. An API is intended to simplify this process and thus advance the automation goal of CSAF.
First, it is evaluated whether the current standard allows the implementation of an API. Any conflicts are highlighted and suggestions for standard adaptations are made. Based on these results, the API is designed to meet the previously defined requirements. Subsequently, a proof of concept is successfully developed according to the design and extensively tested with specially prepared test data. Finally, the results and the necessary standard adjustments are summarized and justified.
The conceptual design and the implementation were successfully completed. However, during the implementation of the proof of concept, some routes could not be fully implemented.
Command & Control (C2) frameworks are a popular tool for bad actors to attack and infiltrate infrastructures and systems. They allow long-lasting inroads to be made into the infrastructure, through which attackers can interact with it through covert channels. These frameworks thus also play a crucial role in cybersecurity, enabling red teams and penetration testers to simulate those real-world adversary tactics. Cobalt Strike, a widely used proprietary C2 framework, offers an extensible plugin system through Beacon Object Files (BOFs). Mythic, an open-source alternative, provides a modular architecture but lacks native BOF compatibility.
This thesis explores the feasibility of integrating Cobalt Strike’s BOF capabilities into a Mythic-based beacon developed at cirosec. The research begins by analyzing the structural and functional differences between Cobalt Strike and Mythic, focusing on their plugin systems and execution environments. It then examines the technical details of BOF execution, including Dynamic Function Resolution (DFR), memory management, and interactions with the beacon Application Programming Interface (API).
The core contributions of this work are the design and implementation of a generic BOF runtime and the implementation of it within the Mythic-based beacon “ciroStrike” developed by cirosec. By adapting BOF execution mechanisms and ensuring compatibility with Mythic’s architecture, this integration enhances the beacon’s flexibility while maintaining its compact and evasive nature. Furthermore, an analysis of publicly available BOF implementations evaluates their applicability to this approach.
The results demonstrate that BOFs can be successfully executed within Mythic with minimal modifications, bridging the gap between proprietary and open-source C2 frameworks. This research contributes to the evolution of offensive security tooling by expanding the interoperability of red team frameworks and improving the adaptability of C2 beacons.