DEV Community

GnomeMan4201
GnomeMan4201

Posted on

zer0DAYSlater: A Modular Adversarial Simulation and Red-Team Research Framework

#cybersecurity #redteam #infosec #offensivesecurity

zer0DAYSlater Banner

zer0DAYSlater is a modular, offline-capable red-team research framework built to simulate advanced adversarial behavior, analyze persistence models, and test multilayer exfiltration and evasion techniques in isolated lab networks.

It combines a command-and-control mesh, multi-protocol exfiltration modules, agent lifecycle management, and process-level concealment mechanisms into a unified experimental platform for understanding the operational lifecycle of modern intrusion tooling.

The framework is built purely for authorized security research, red-team development, and training within controlled environments.

πŸ”— GitHub Repository: https://github.com/GnomeMan4201/zer0DAYSlater

Architecture Overview

1. Agent Subsystem (agent/)

Implements autonomous node behavior. Each agent instance acts as an independent research implant capable of channel negotiation, persistence testing, and data exfil emulation.

All agent routines operate in isolated, user-initiated sessions. There is no self-replication, autonomous network propagation, or unauthorized execution logic.

  • agent_core.py – Base runtime that initializes communication channels, handles task dispatching, and maintains heartbeat states.
  • ghost_daemon.py – Background controller supporting daemonized operation for long-running simulation.
  • sandbox_check.py – Performs environment fingerprinting and sandbox detection to trigger evasive responses.
  • advanced_evasion.py – Implements timing jitter, sleep obfuscation, and selective call delay for anti-analysis scenarios.
  • mtls_plugin_fetcher.py / plugin_fetcher.py – Secure retrieval of encrypted modules or plugins over mutually authenticated TLS or local channel.
  • kill_switch.py – Controlled termination and cleanup mechanism for reversing persistence or wiping volatile state.
  • session_memory.py / session_replay.py – Manage transient state and simulated session recovery for controlled re-execution tests.
  • session_exfil_main.py – Handles outbound exfil simulation workflows (delegated to core/exfil modules).

2. Core Exfiltration Layer (core/)

Implements multiple exfiltration transports for protocol-level evasion experiments.

  • exfil_dns.py – Encapsulates data within DNS TXT query streams for covert tunneling simulations.
  • exfil_icmp.py – Demonstrates payload movement over ICMP echo requests (for controlled lab use).
  • exfil_https.py – Uses HTTPS POST blending with common user agents for realistic exfil emulation.
  • exfil_mqtt.py – Tests message-broker exfil patterns via MQTT for IoT threat modeling.
  • ws_client.py – Provides a WebSocket client for persistent command channels and bidirectional streaming.
  • adaptive_channel_manager.py – Dynamically selects viable channels based on environmental reachability or sandbox policy.

This layer abstracts data movement so that researchers can measure detection surface differences between protocols without modifying agent code.

3. Persistence and Process Layer

  • persistence.py – Contains hooks for testing local persistence and startup injection methods (lab-restricted).
  • process_cloak.py / process_doppelganger.py – Demonstrate process hollowing and memory-mapped cloning concepts in a controlled environment.
  • memory_loader.py – Loads encrypted payloads or shellcode directly into memory for non-disk testing, eliminating file artifacts.
  • lateral.py – Prototype for lateral movement orchestration, leveraging peer authentication and token exchange.

All persistence and process modules are designed to simulate behaviors, not weaponize them, enabling safe study of anti-forensic signatures under lab containment. All potentially invasive operationsβ€”such as process hollowing or in-memory loadingβ€”execute only on test data or simulated handles within sandboxed contexts.

4. C2 and Communication Infrastructure (tools/)

Implements a local command-and-control simulation stack supporting HTTPS and WebSocket transport layers for controlled red-team emulation.

  • c2_server.py / c2_ws_server.py – Python-based control servers supporting HTTPS and WebSocket interaction models.
  • task_dispatcher.py – Queues and distributes tasks to connected agents for test scenarios.
  • plugin_encryptor.py – Utility to encrypt/decrypt plugins used by agents for secure modular extension.
  • loot_tagger.py, loot_report_pdf.py, mission_report.py – Generate structured reporting artifacts summarizing test runs, loot categorization, and PDF output for red-team after-action reviews.
  • shellcode_loader.py – Demonstrates injection or execution of binary payloads within the research context.

Together, these tools allow a single researcher or team to emulate full red-team campaigns entirely offline: control, exfiltration, persistence, and reporting.

5. Interface and Dashboard

  • tui_dashboard.py – Text-based UI for interactive control of agent sessions, telemetry viewing, and campaign status.
  • llm_command_parser.py – Experimental component for translating natural-language commands into structured task instructions for the C2 engine.
  • omega_campaign.sh / install_omega.sh – Shell automation for deploying a full simulated campaign environment and provisioning agents.

6. Auxiliary Components

  • proxy_fallback_check.py – Detects proxy-enforced environments and adjusts communication parameters.
  • peer_auth.py – Handles cryptographic token exchange between peers in mesh scenarios.
  • config.py – Centralized configuration: key material, default C2 endpoints, encryption settings, and environment flags.
  • loot_log.README / keys.README – Documentation for loot handling and cryptographic key storage practices.

Operational Characteristics

  • Offline Operation: No external dependencies or forced telemetry. Fully self-contained for air-gapped research networks.
  • Modular Design: Each subsystem functions independently, allowing selective execution or isolated testing.
  • Cryptographic Isolation: Plugin and payload encryption handled locally using symmetric keys defined in config.py.
  • Cross-Protocol Testing: Supports DNS, ICMP, HTTPS, MQTT, and WebSocket communication vectors.
  • Agent Simulation: Realistic persistence and exfil behaviors without destructive impact.
  • Reporting Pipeline: Loot tagging and PDF mission reports for professional documentation of test outcomes.
  • Controlled Privilege: No enforced elevation; all modules execute at user level unless explicitly sandboxed.
  • Extensible Plugin Architecture: Agents dynamically load encrypted plugins retrieved via mutual TLS or local channel, enabling modular extension and controlled capability testing.

Design Philosophy

zer0DAYSlater follows a philosophy of deterministic adversarial simulation: every module must produce reproducible, measurable results suitable for repeatable lab testing. The framework prioritizes transparency and telemetry over stealth, ensuring that its use improves defenders' visibility rather than diminishing it.

Research and Educational Use

zer0DAYSlater provides an end-to-end environment to study the full adversarial kill chain in a lab setting:

  1. Deployment – Agent instantiation via memory or file loader.
  2. Command & Control – Tasking through C2 or WebSocket server.
  3. Persistence Simulation – Testing startup and injection techniques.
  4. Lateral Exploration – Peer discovery and token-based access modeling.
  5. Exfiltration – Multi-channel data egress and comparative detection analysis.
  6. Reporting – Automated mission reports and telemetry export.

This makes the framework valuable for red-team operators, security educators, and defenders testing blue-team visibility under controlled adversarial patterns.

Ethical and Legal Statement

zer0DAYSlater is intended strictly for defensive research, authorized red-team exercises, and education.

It does not include automatic exploitation, persistence beyond the local host, or unauthorized remote control capability. All modules are inert and non-exploitative by default, suitable only for controlled lab operation under explicit authorization.

I do not condone or encourage illegal activity of any kind. This framework exists to study adversarial mechanics from a security standpoint, not to deploy them.

Discussions around tools like zer0DAYSlater are often considered taboo because they reveal the uncomfortable truth that understanding offense is essential for effective defense.

Cybersecurity is a dual-use discipline β€” every capability is a double-edged sword. Knowledge, when shared transparently and ethically, becomes defense. That's why zer0DAYSlater will remain open source: so others can study, audit, and improve the craft of security without crossing ethical boundaries.

Author: GnomeMan4201

Framework: zer0DAYSlater

GitHub: https://github.com/GnomeMan4201/zer0DAYSlater

License: Open Research License (Authorized Use Only)

Top comments (0)