Offensive Tool Development
Students develop offensive security capabilities from the ground up, building adversary emulation frameworks using MITRE ATT&CK. The capstone produced Avocado, a powerful C2 framework with Python server and Rust-based stageless implants supporting Windows and Linux.
Project Overview
This capstone program teaches students how to protect and secure corporate networks by developing offensive security capabilities from the ground up. Students build adversary emulation frameworks using the MITRE ATT&CK reference framework, learning defense through offense by creating tooling for bypassing EDRs and AVs, implementing post-exploitation techniques, and hunting zero-days to aid in preventing privilege escalation.
Students learn complex distributed programming for implanted software, build tools that bypass modern Endpoint Detection and Response (EDR) software and Anti-Virus solutions, implement unhooking techniques, and develop post-exploitation tradecraft for Windows systems. The program culminates in competing in the Collegiate Penetration Testing Competition (CPTC) using the tooling they've developed.
Avocado C2 Framework
The primary deliverable from this capstone program is Avocado, a powerful Command and Control (C2) framework written in Python with stageless implants in Rust. Avocado's implants run seamlessly on both Linux and Windows, securely communicating with the server via mutual TLS (mTLS).
Architecture & Components
Avocado follows a modular architecture with clear separation between server components, operator interfaces, and implant generation:
- Python Server: The C2 server is built in Python and handles implant connections, command execution, and operator management. It includes modules for implant handling, operator handling, and mutual TLS authentication.
- Rust Implants: Stageless implants are compiled in Rust, providing native performance and cross-platform support for both Windows and Linux targets. The implants communicate securely with the server using mTLS.
- Operator Interfaces: Avocado provides both a command-line interface (CLI) and a graphical user interface (GUI) for operators to interact with the C2 framework, manage implants, and execute commands.
- Mutual TLS: All communication between implants and the server uses mutual TLS, ensuring both parties authenticate each other and all traffic is encrypted.
How Avocado Works
The framework operates through a streamlined workflow:
- Server Startup: The Python server starts and loads various command modules (shell, upload, download, sysinfo, screenshot) and begins listening on configured ports for both API and C2 traffic.
- Implant Generation: Operators use the CLI or GUI to generate platform-specific implants (Windows or Linux) configured to connect back to the C2 server. The implants are compiled as stageless executables.
- Secure Communication: Once deployed, the implant establishes a secure mTLS connection with the C2 server, authenticating both the client and server certificates.
- Command Execution: Operators can interact with connected implants through the operator interface, executing commands, uploading/downloading files, gathering system information, and performing post-exploitation activities.
Key Features
- Cross-platform support for Windows and Linux implants
- Stageless implant architecture for reduced footprint
- Secure mTLS communication preventing unauthorized access
- Modular command system supporting shell execution, file transfer, system enumeration, and more
- Docker-based deployment for easy setup and portability
- Both CLI and GUI operator interfaces for different use cases
Team Members
Alexander Roth
Jacqueline Dworaczyk
Erin Ozcan
Raul Dayao
Zaid Usmani
Fahad Alothman
William Bowden
Thad Shinno
Ahmad Saadeddin