[Feature] Creating leave behinds so teams can practice and do IR on what we've done.

[hulto]

Problem

Most teams don't have the ability to practice with a live red team.

solution

To help augment their practices we should build a leave behind to perform automated red teaming. Leveraging eldritch tomes we can build playbooks that perform initial access and deploy payloads in a teams test environment. After each event we can give them an "inital salvo" or "Low hanging fruit" playbook for future practice.

To make this possible eldritch will need to support initial access / deployment / pivoting methods: SSH, SMB, WinRM.
This will also give us the added values of:

• being able to pivot natively in eldritch without OS restrictions (Eg. An agent on a Linux host can pivot to a windows host over SMB)
• Eliminating the need for a worker as we can deploy a imix agent that can handle deploy commands. This is inline with how some frameworks like CobaltStrike handle initial deployment.

A reach goal in this vein: If environments have vulnerable services we could build exploits into the eldritch language to take advantage of those natively. This is a bigger discussion though with many implementation considerations such as whether we want to build exploits in the language or exploit "building blocks". Specifically thinking about common web vulnerabilities and being able to build / modify them on the fly.

Workflow for teams

1. Team installs agent on their local host.
2. Team runs agent in deploy mode with our leave behind tar ball.
3. Imix will perform initial deploy through various access methods: SSH, WinRM, SMB, and potentially exploits.

Additional considerations

if we achieve goals with the realm C2 recording all actions against targets we should be able to export that activity log to a single eldritch tome / bundle and hand that off to teams eliminating the need for red teamers to compile a playbook manually.

TL;DR

Doing:
• Add "access" methods to eldritch such as WinRM, SMB, and SSH.
Gives us:
• Able to give teams a leave behind so they can try detecting the actions we perform.
• Initial deployment written in eldritch
• Ability to ignore the worker concept opting instead to install an agent on our jump box.
• Pivoting using native code

[hulto]

Exploit capability may be achieved through proxying traffic from C2 out the agent host. No need to add eldritch features. Can bring your own exploits.

Downside being lose some integration with the automation and logging.