Imix
Imix is an offensive security implant designed for stealthy communication and adversary emulation. It functions as a Beacon, receiving Eldritch packages called Tomes from a central server (Tavern) and evaluating them on the host system. It currently supports gRPC over HTTP(s) as it’s primary communication mechanism, but can be extended to support additional transport channels (see the developer guide for more info).
Configuration
Imix has compile-time configuration, that may be specified using environment variables during cargo build
.
Env Var | Description | Default | Required |
---|---|---|---|
IMIX_CALLBACK_URI | URI for initial callbacks (must specify a scheme, e.g. http:// ) |
http://127.0.0.1:80 |
No |
IMIX_CALLBACK_INTERVAL | Duration between callbacks, in seconds. | 5 |
No |
IMIX_RETRY_INTERVAL | Duration to wait before restarting the agent loop if an error occurs, in seconds. | 5 |
No |
IMIX_PROXY_URI | Overide system settings for proxy URI over HTTP(S) (must specify a scheme, e.g. https:// ) |
No proxy | No |
Logging
At runtime, you may use the IMIX_LOG
environment variable to control log levels and verbosity. See these docs for more information. When building a release version of imix, logging is disabled and is not included in the released binary.
Installation
The install subcommand executes embedded tomes similar to golem. It will loop through all embedded files looking for main.eldritch. Each main.eldritch will execute in a new thread. This is done to allow imix to install redundantly or install additional (non dependent) tools.
Installation scripts are specified in the realm/implants/imix/install_scripts
directory.
This feature is currently under active development, and may change. We’ll do our best to keep these docs updates in the meantime.
Functionality
Imix derives all it’s functionality from the eldritch language. See the Eldritch User Guide for more information.
Task management
Imix can execute up to 127 threads concurrently after that the main imix thread will block behind other threads. Every callback interval imix will query each active thread for new output and rely that back to the c2. This means even long running tasks will report their status as new data comes in.
Proxy support
Imix’s default grpc
transport supports http and https proxies for outbound communication.
By default imix will try to determine the systems proxy settings:
- On Linux reading the environment variables
http_proxy
and thenhttps_proxy
- On Windows - we cannot automatically determine the default proxy
- On MacOS - we cannot automatically determine the default proxy
- On FreeBSD - we cannot automatically determine the default proxy
Static cross compilation
Linux
rustup target add x86_64-unknown-linux-musl
sudo apt update
sudo apt install musl-tools
cd realm/implants/imix/
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target=x86_64-unknown-linux-musl
MacOS
MacOS does not support static compilation https://developer.apple.com/forums/thread/706419
Cross compilation is more complicated than we’ll support Check out this blog a starting point for cross compiling. https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html/
Windows
rustup target add x86_64-pc-windows-gnu
sudo apt update
sudo apt install gcc-mingw-w64
# Build the reflective loader
cd realm/bin/reflective_loader
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --lib --target=x86_64-pc-windows-gnu
# You may have to adjust `LOADER_BYTES` include path in `dll_reflect_impl.rs` changing `x86_64-pc-windows-msvc` ---> `x86_64-pc-windows-gnu`
# Build imix
cd realm/implants/imix/
# Build imix.exe
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target=x86_64-pc-windows-gnu
# Build imix.svc.exe
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --features win_service --target=x86_64-pc-windows-gnu
# Build imix.dll
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --lib --target=x86_64-pc-windows-gnu
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.