Imix

Imix is an offensive security implant designed for stealthy communication and adversary emulation. It functions as a Beacon, receiving Eldritch packages called Tomes from a central server (Tavern) and evaluating them on the host system. It currently supports gRPC over HTTP(s) as it’s primary communication mechanism, but can be extended to support additional transport channels (see the developer guide for more info).

Configuration

Imix has compile-time configuration, that may be specified using environment variables during cargo build.

Env Var Description Default Required
IMIX_CALLBACK_URI URI for initial callbacks (must specify a scheme, e.g. http://) http://127.0.0.1:80 No
IMIX_CALLBACK_INTERVAL Duration between callbacks, in seconds. 5 No
IMIX_RETRY_INTERVAL Duration to wait before restarting the agent loop if an error occurs, in seconds. 5 No
IMIX_PROXY_URI Overide system settings for proxy URI over HTTP(S) (must specify a scheme, e.g. https://) No proxy No

Logging

At runtime, you may use the IMIX_LOG environment variable to control log levels and verbosity. See these docs for more information. When building a release version of imix, logging is disabled and is not included in the released binary.

Installation

The install subcommand executes embedded tomes similar to golem. It will loop through all embedded files looking for main.eldritch. Each main.eldritch will execute in a new thread. This is done to allow imix to install redundantly or install additional (non dependent) tools.

Installation scripts are specified in the realm/implants/imix/install_scripts directory.

This feature is currently under active development, and may change. We’ll do our best to keep these docs updates in the meantime.

Functionality

Imix derives all it’s functionality from the eldritch language. See the Eldritch User Guide for more information.

Task management

Imix can execute up to 127 threads concurrently after that the main imix thread will block behind other threads. Every callback interval imix will query each active thread for new output and rely that back to the c2. This means even long running tasks will report their status as new data comes in.

Proxy support

Imix’s default grpc transport supports http and https proxies for outbound communication. By default imix will try to determine the systems proxy settings:

  • On Linux reading the environment variables http_proxy and then https_proxy
  • On Windows - we cannot automatically determine the default proxy
  • On MacOS - we cannot automatically determine the default proxy
  • On FreeBSD - we cannot automatically determine the default proxy

Static cross compilation

Linux

rustup target add x86_64-unknown-linux-musl

sudo apt update
sudo apt install musl-tools
cd realm/implants/imix/
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target=x86_64-unknown-linux-musl

MacOS

MacOS does not support static compilation https://developer.apple.com/forums/thread/706419

Cross compilation is more complicated than we’ll support Check out this blog a starting point for cross compiling. https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html/

Windows

rustup target add x86_64-pc-windows-gnu

sudo apt update
sudo apt install gcc-mingw-w64

# Build the reflective loader
cd realm/bin/reflective_loader
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --lib --target=x86_64-pc-windows-gnu
# You may have to adjust `LOADER_BYTES` include path in `dll_reflect_impl.rs` changing `x86_64-pc-windows-msvc` ---> `x86_64-pc-windows-gnu`

# Build imix
cd realm/implants/imix/
# Build imix.exe
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target=x86_64-pc-windows-gnu
# Build imix.svc.exe
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --features win_service --target=x86_64-pc-windows-gnu
# Build imix.dll
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --lib --target=x86_64-pc-windows-gnu