Imix
Imix is an offensive security implant designed for stealthy communication and adversary emulation. It functions as a Beacon, receiving Eldritch packages called Tomes from a central server (Tavern) and evaluating them on the host system. It currently supports gRPC over HTTP(s) as it’s primary communication mechanism, but can be extended to support additional transport channels (see the developer guide for more info).
Configuration
Imix has compile-time configuration, that may be specified using environment variables during cargo build.
| Env Var | Description | Default | Required |
|---|---|---|---|
| IMIX_CALLBACK_URI | URI for initial callbacks (must specify a scheme, e.g. http://) |
http://127.0.0.1:80 |
No |
| IMIX_CALLBACK_INTERVAL | Duration between callbacks, in seconds. | 5 |
No |
| IMIX_RETRY_INTERVAL | Duration to wait before restarting the agent loop if an error occurs, in seconds. | 5 |
No |
| IMIX_PROXY_URI | Overide system settings for proxy URI over HTTP(S) (must specify a scheme, e.g. https://) |
No proxy | No |
| IMIX_HOST_ID | Manually specify the host ID for this beacon. Supersedes the file on disk. | - | No |
Logging
At runtime, you may use the IMIX_LOG environment variable to control log levels and verbosity. See these docs for more information. When building a release version of imix, logging is disabled and is not included in the released binary.
Installation
The install subcommand executes embedded tomes similar to golem. It will loop through all embedded files looking for main.eldritch. Each main.eldritch will execute in a new thread. This is done to allow imix to install redundantly or install additional (non dependent) tools.
Installation scripts are specified in the realm/implants/imix/install_scripts directory.
This feature is currently under active development, and may change. We’ll do our best to keep these docs updates in the meantime.
Functionality
Imix derives all it’s functionality from the eldritch language. See the Eldritch User Guide for more information.
Task management
Imix can execute up to 127 threads concurrently after that the main imix thread will block behind other threads. Every callback interval imix will query each active thread for new output and rely that back to the c2. This means even long running tasks will report their status as new data comes in.
Proxy support
Imix’s default grpc transport supports http and https proxies for outbound communication.
By default imix will try to determine the systems proxy settings:
- On Linux reading the environment variables
http_proxyand thenhttps_proxy - On Windows - we cannot automatically determine the default proxy
- On MacOS - we cannot automatically determine the default proxy
- On FreeBSD - we cannot automatically determine the default proxy
Identifying unique hosts
Imix communicates which host it’s on to Tavern enabling operators to reliably perform per host actions. The default way that imix does this is through a file on disk. We recognize that this may be un-ideal for many situations so we’ve also provided an environment override and made it easy for admins managing a realm deployment to change how the bot determines uniqueness.
Imix uses the host_unique library under implants/lib/host_unique to determine which host it’s on. The id function will fail over all available options returning the first successful ID. If a method is unable to determine the uniqueness of a host it should return None.
We recommend that you use the File for the most reliability:
- Exists across reboots
- Garunteed to be unique per host (because the bot creates it)
- Can be used by multiple instances of the beacon on the same host.
If you cannot use the File selector we highly recommend manually setting the Env selector with the environment variable IMIX_HOST_ID. This will override the File one avoiding writes to disk but must be managed by the operators.
If all uniqueness selectors fail imix will randomly generate a UUID to avoid crashing. This isn’t ideal as in the UI each new beacon will appear as thought it were on a new host.
Static cross compilation
Linux
rustup target add x86_64-unknown-linux-musl
sudo apt update
sudo apt install musl-tools
cd realm/implants/imix/
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --bin imix --target=x86_64-unknown-linux-musl
MacOS
MacOS does not support static compilation https://developer.apple.com/forums/thread/706419
Cross compilation is more complicated than we’ll support Check out this blog a starting point for cross compiling. https://wapl.es/rust/2019/02/17/rust-cross-compile-linux-to-macos.html/
Windows
rustup target add x86_64-pc-windows-gnu
sudo apt update
sudo apt install gcc-mingw-w64
# Build imix
cd realm/implants/imix/
# Build imix.exe
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --target=x86_64-pc-windows-gnu
# Build imix.svc.exe
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --features win_service --target=x86_64-pc-windows-gnu
# Build imix.dll
RUSTFLAGS="-C target-feature=+crt-static" cargo build --release --lib --target=x86_64-pc-windows-gnu
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.